agenttesla | 218ec3e668160848093a7b64cb8325473821d466cf9d940e4bd5f4b981991936

Analysis

max time kernel
84s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat.exe
Size

54.0MB
MD5

5d20d04ed7f6024bed1388022efd5eb7
SHA1

d4d1d3e03b3dd89a3a3b0a02433cd99cd7abe1d6
SHA256

218ec3e668160848093a7b64cb8325473821d466cf9d940e4bd5f4b981991936
SHA512

55b4ffdc9f236211e458a86907fa498047636c8d90c3c43219a0d43dd5d2c0464f44cd31559674b417315c439fffacd8b0b09981009726a2a6beb1bd79c31e40
SSDEEP

1572864:8LOrJXzVj0mz3uu2etPQiWmoh8rEf8CQn:8LqJXBj0kuu3IDmnrEAn

Score

10^/10

agenttesla bootkit credential_access discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2632	powershell.exe
2188	powershell.exe

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\071826223749B945ED09EDEB4F888C1BE81F520F\Blob = 0f000000010000001400000040a98280da4863b2fd24c923e41070af0d5a93950200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000610062003800320034003900620030002d0063003500300066002d0034006100390034002d0061003000350038002d0065006200310035003300660036003300610030003400640000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000071826223749b945ed09edeb4f888c1be81f520f200000000100000000030000308202fc308201e4a003020102021076cf0c012befc18b43eb90f7df2dafaf300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931363133323134315a180f32313234303832333133323134315a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b0481ab684ffdebd27c86eb563029cddf36c6a11e81012d752a4c00707f56f00ccfe761bd3f04f65f14307b7da2698cb55e576f9058f0a3591b3c27e36db9755413e8bc636cb4e40b2c4bab9f92348f08ffa625f377afbaba7c60b92b1e339ee846bbf85f1c5b85e2f519142457428b299c4119a702340d2024f9584a35d42ad6865cebe8e0250751ef4f33de7d36a8937168a3eb71fb0cc55435c5b29b613721b92251964d72d0098141350a239a1762ad017e2684598c54c4ba94714456b7062f6d84f8b58d018a42afe25c88fe3de07e40610a74cc8f08d11b6a328bd904b5273e5d3df06570d73789f91155933fb5f1bc4bad0c5ac546226a8586094127d0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40564f5248504241420030090603551d1304023000300d06092a864886f70d010105050003820101000f7ecfa3a0207522e53dba332733afe6da2bd7b1755750d8dbf45f547f290a3aff65b97ccfe3e4a70829e7f9248a8f1ca8ab60c936a870492db55da3edbd5cae65341d5594793191255c55d2b72a21dec36103b8c14e488f6693ae539b39e711f676818ef3f5f845c9e38c5c84e380580ac0eb123e0c49f106d3268654b3637b739fa9434cefa8323f89a1d12eb318f2f1be9ad995ca1a272c48943613b6be6d73c623ef4312bc27170991673f1b2653c9ccc9e02cc35fc066057b73911ec9d4d7d2ff5413c2ff11e742a446d2051e948f5b3263b25c4eb864349c6396be4fdfd1f4f41786562bc225a6f385d8fc4f7aa194e254925c31280bbe5f3a25c1ec48	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\071826223749B945ED09EDEB4F888C1BE81F520F\Blob = 0f000000010000001400000040a98280da4863b2fd24c923e41070af0d5a9395030000000100000014000000071826223749b945ed09edeb4f888c1be81f520f0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000610062003800320034003900620030002d0063003500300066002d0034006100390034002d0061003000350038002d0065006200310035003300660036003300610030003400640000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a003020102021076cf0c012befc18b43eb90f7df2dafaf300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931363133323134315a180f32313234303832333133323134315a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b0481ab684ffdebd27c86eb563029cddf36c6a11e81012d752a4c00707f56f00ccfe761bd3f04f65f14307b7da2698cb55e576f9058f0a3591b3c27e36db9755413e8bc636cb4e40b2c4bab9f92348f08ffa625f377afbaba7c60b92b1e339ee846bbf85f1c5b85e2f519142457428b299c4119a702340d2024f9584a35d42ad6865cebe8e0250751ef4f33de7d36a8937168a3eb71fb0cc55435c5b29b613721b92251964d72d0098141350a239a1762ad017e2684598c54c4ba94714456b7062f6d84f8b58d018a42afe25c88fe3de07e40610a74cc8f08d11b6a328bd904b5273e5d3df06570d73789f91155933fb5f1bc4bad0c5ac546226a8586094127d0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40564f5248504241420030090603551d1304023000300d06092a864886f70d010105050003820101000f7ecfa3a0207522e53dba332733afe6da2bd7b1755750d8dbf45f547f290a3aff65b97ccfe3e4a70829e7f9248a8f1ca8ab60c936a870492db55da3edbd5cae65341d5594793191255c55d2b72a21dec36103b8c14e488f6693ae539b39e711f676818ef3f5f845c9e38c5c84e380580ac0eb123e0c49f106d3268654b3637b739fa9434cefa8323f89a1d12eb318f2f1be9ad995ca1a272c48943613b6be6d73c623ef4312bc27170991673f1b2653c9ccc9e02cc35fc066057b73911ec9d4d7d2ff5413c2ff11e742a446d2051e948f5b3263b25c4eb864349c6396be4fdfd1f4f41786562bc225a6f385d8fc4f7aa194e254925c31280bbe5f3a25c1ec48	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\071826223749B945ED09EDEB4F888C1BE81F520F\Blob = 0f000000010000001400000040a98280da4863b2fd24c923e41070af0d5a9395030000000100000014000000071826223749b945ed09edeb4f888c1be81f520f200000000100000000030000308202fc308201e4a003020102021076cf0c012befc18b43eb90f7df2dafaf300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303931363133323134315a180f32313234303832333133323134315a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b0481ab684ffdebd27c86eb563029cddf36c6a11e81012d752a4c00707f56f00ccfe761bd3f04f65f14307b7da2698cb55e576f9058f0a3591b3c27e36db9755413e8bc636cb4e40b2c4bab9f92348f08ffa625f377afbaba7c60b92b1e339ee846bbf85f1c5b85e2f519142457428b299c4119a702340d2024f9584a35d42ad6865cebe8e0250751ef4f33de7d36a8937168a3eb71fb0cc55435c5b29b613721b92251964d72d0098141350a239a1762ad017e2684598c54c4ba94714456b7062f6d84f8b58d018a42afe25c88fe3de07e40610a74cc8f08d11b6a328bd904b5273e5d3df06570d73789f91155933fb5f1bc4bad0c5ac546226a8586094127d0203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40564f5248504241420030090603551d1304023000300d06092a864886f70d010105050003820101000f7ecfa3a0207522e53dba332733afe6da2bd7b1755750d8dbf45f547f290a3aff65b97ccfe3e4a70829e7f9248a8f1ca8ab60c936a870492db55da3edbd5cae65341d5594793191255c55d2b72a21dec36103b8c14e488f6693ae539b39e711f676818ef3f5f845c9e38c5c84e380580ac0eb123e0c49f106d3268654b3637b739fa9434cefa8323f89a1d12eb318f2f1be9ad995ca1a272c48943613b6be6d73c623ef4312bc27170991673f1b2653c9ccc9e02cc35fc066057b73911ec9d4d7d2ff5413c2ff11e742a446d2051e948f5b3263b25c4eb864349c6396be4fdfd1f4f41786562bc225a6f385d8fc4f7aa194e254925c31280bbe5f3a25c1ec48	IEXPLORE.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	aj42ED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	avg.exe

Executes dropped EXE 13 IoCs

pid	Process
2432	anti.exe
2956	PurchaseOrder.exe
2268	butdes.exe
1788	i.exe
1348	flydes.exe
2768	butdes.tmp
1804	flydes.tmp
2108	bundle.exe
1032	avg.exe
2096	gx.exe
2436	rckdck.exe
2960	setup.exe
2548	aj42ED.exe

Loads dropped DLL 30 IoCs

pid	Process
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2956	PurchaseOrder.exe
2956	PurchaseOrder.exe
2956	PurchaseOrder.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2268	butdes.exe
1348	flydes.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
2532	cmd.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\SOFTWARE\AVAST Software\Avast	avg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	aj42ED.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\SOFTWARE\AVAST Software\Avast	aj42ED.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	api.ipify.org
63	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aj42ED.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 2024	2956	PurchaseOrder.exe	610

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butdes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2044	timeout.exe
1416	timeout.exe
1996	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1980	Process not Found
2800	Process not Found
1752	taskkill.exe
1492	taskkill.exe
2752	taskkill.exe
1808	taskkill.exe
2120	taskkill.exe
2712	Process not Found
1556	taskkill.exe
948	taskkill.exe
1364	taskkill.exe
828	Process not Found
752	Process not Found
1512	taskkill.exe
3020	Process not Found
2720	taskkill.exe
2392	Process not Found
2960	Process not Found
1904	taskkill.exe
1824	taskkill.exe
1508	taskkill.exe
2900	taskkill.exe
1292	Process not Found
2712	Process not Found
2440	Process not Found
748	taskkill.exe
2268	taskkill.exe
2888	Process not Found
1532	Process not Found
1732	Process not Found
1856	Process not Found
1824	Process not Found
728	Process not Found
1552	taskkill.exe
2692	taskkill.exe
2240	taskkill.exe
2956	Process not Found
2160	Process not Found
2340	Process not Found
2872	taskkill.exe
2760	Process not Found
2324	taskkill.exe
2788	Process not Found
2580	Process not Found
2792	Process not Found
2960	Process not Found
2488	taskkill.exe
2932	taskkill.exe
2084	taskkill.exe
1836	Process not Found
1292	Process not Found
2744	Process not Found
2604	taskkill.exe
1580	taskkill.exe
2640	Process not Found
2700	Process not Found
2356	Process not Found
2116	taskkill.exe
1848	Process not Found
1228	Process not Found
2428	Process not Found
1332	Process not Found
2072	taskkill.exe
2440	Process not Found

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C6AC7C1-742E-11EF-B8EC-E699F793024F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C6AEED1-742E-11EF-B8EC-E699F793024F} = "0"	iexplore.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	aj42ED.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	aj42ED.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	powershell.exe
2632	powershell.exe
2024	RegSvcs.exe
2024	RegSvcs.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
2548	aj42ED.exe
1032	avg.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
2548	aj42ED.exe
1032	avg.exe
2548	aj42ED.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe
1032	avg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2432	anti.exe
1188	iexplore.exe
1188	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe
1188	iexplore.exe
1188	iexplore.exe
1188	iexplore.exe
1188	iexplore.exe
1188	iexplore.exe
1188	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2432	anti.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1472	iexplore.exe
1472	iexplore.exe
1188	iexplore.exe
1188	iexplore.exe
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE
1032	avg.exe
2548	aj42ED.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2532	3068	202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat.exe	30
PID 3068 wrote to memory of 2532	3068	202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat.exe	30
PID 3068 wrote to memory of 2532	3068	202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat.exe	30
PID 3068 wrote to memory of 2532	3068	202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat.exe	30
PID 2532 wrote to memory of 2608	2532	cmd.exe	32
PID 2532 wrote to memory of 2608	2532	cmd.exe	32
PID 2532 wrote to memory of 2608	2532	cmd.exe	32
PID 2532 wrote to memory of 2608	2532	cmd.exe	32
PID 2532 wrote to memory of 2432	2532	cmd.exe	34
PID 2532 wrote to memory of 2432	2532	cmd.exe	34
PID 2532 wrote to memory of 2432	2532	cmd.exe	34
PID 2532 wrote to memory of 2432	2532	cmd.exe	34
PID 2532 wrote to memory of 836	2532	cmd.exe	35
PID 2532 wrote to memory of 836	2532	cmd.exe	35
PID 2532 wrote to memory of 836	2532	cmd.exe	35
PID 2532 wrote to memory of 836	2532	cmd.exe	35
PID 2532 wrote to memory of 1796	2532	cmd.exe	36
PID 2532 wrote to memory of 1796	2532	cmd.exe	36
PID 2532 wrote to memory of 1796	2532	cmd.exe	36
PID 2532 wrote to memory of 1796	2532	cmd.exe	36
PID 2532 wrote to memory of 2044	2532	cmd.exe	38
PID 2532 wrote to memory of 2044	2532	cmd.exe	38
PID 2532 wrote to memory of 2044	2532	cmd.exe	38
PID 2532 wrote to memory of 2044	2532	cmd.exe	38
PID 836 wrote to memory of 1560	836	cmd.exe	39
PID 836 wrote to memory of 1560	836	cmd.exe	39
PID 836 wrote to memory of 1560	836	cmd.exe	39
PID 836 wrote to memory of 1560	836	cmd.exe	39
PID 836 wrote to memory of 2504	836	cmd.exe	41
PID 836 wrote to memory of 2504	836	cmd.exe	41
PID 836 wrote to memory of 2504	836	cmd.exe	41
PID 836 wrote to memory of 2504	836	cmd.exe	41
PID 836 wrote to memory of 2956	836	cmd.exe	42
PID 836 wrote to memory of 2956	836	cmd.exe	42
PID 836 wrote to memory of 2956	836	cmd.exe	42
PID 836 wrote to memory of 2956	836	cmd.exe	42
PID 836 wrote to memory of 404	836	cmd.exe	43
PID 836 wrote to memory of 404	836	cmd.exe	43
PID 836 wrote to memory of 404	836	cmd.exe	43
PID 836 wrote to memory of 404	836	cmd.exe	43
PID 836 wrote to memory of 2728	836	cmd.exe	44
PID 836 wrote to memory of 2728	836	cmd.exe	44
PID 836 wrote to memory of 2728	836	cmd.exe	44
PID 836 wrote to memory of 2728	836	cmd.exe	44
PID 836 wrote to memory of 1864	836	cmd.exe	45
PID 836 wrote to memory of 1864	836	cmd.exe	45
PID 836 wrote to memory of 1864	836	cmd.exe	45
PID 836 wrote to memory of 1864	836	cmd.exe	45
PID 836 wrote to memory of 944	836	cmd.exe	46
PID 836 wrote to memory of 944	836	cmd.exe	46
PID 836 wrote to memory of 944	836	cmd.exe	46
PID 836 wrote to memory of 944	836	cmd.exe	46
PID 836 wrote to memory of 1808	836	cmd.exe	47
PID 836 wrote to memory of 1808	836	cmd.exe	47
PID 836 wrote to memory of 1808	836	cmd.exe	47
PID 836 wrote to memory of 1808	836	cmd.exe	47
PID 836 wrote to memory of 1148	836	cmd.exe	48
PID 836 wrote to memory of 1148	836	cmd.exe	48
PID 836 wrote to memory of 1148	836	cmd.exe	48
PID 836 wrote to memory of 1148	836	cmd.exe	48
PID 836 wrote to memory of 940	836	cmd.exe	49
PID 836 wrote to memory of 940	836	cmd.exe	49
PID 836 wrote to memory of 940	836	cmd.exe	49
PID 836 wrote to memory of 940	836	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\!m.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\anti.exe
    anti.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K fence.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2540
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1320
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:3056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2788
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:992
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1496
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:680
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2392
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      Kills process with taskkill
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      Kills process with taskkill
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:444
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2240
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2500
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:624
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:2756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im shutdown.exe
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im werfault.exe
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\explorer.exe
    explorer
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\timeout.exe
    timeout 30
    3⤵
    - Delays execution with timeout.exe
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\PurchaseOrder.exe
    PurchaseOrder.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\PurchaseOrder.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TESAYt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2188
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TESAYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2024
- - C:\Windows\SysWOW64\cipher.exe
    cipher /k /h /e C:\Users\Admin\Desktop\*
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\cipher.exe
    cipher C:\Users\Admin\Desktop\*
    3⤵
    PID:2832
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\doc.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1188
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:275457 /prefetch:2
      4⤵
      Manipulates Digital Signatures
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1900
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\infected.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1472
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2352
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\butdes.exe
    butdes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\is-L7VQN.tmp\butdes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-L7VQN.tmp\butdes.tmp" /SL5="$20108,2719719,54272,C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\butdes.exe"
      4⤵
      Executes dropped EXE
      PID:2768
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\flydes.exe
    flydes.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\is-LC82O.tmp\flydes.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LC82O.tmp\flydes.tmp" /SL5="$20106,595662,54272,C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\flydes.exe"
      4⤵
      Executes dropped EXE
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\i.exe
    i.exe
    3⤵
    - Executes dropped EXE
    PID:1788
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10
    3⤵
    - Delays execution with timeout.exe
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\gx.exe
    gx.exe
    3⤵
    - Executes dropped EXE
    PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\7zS03800028\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS03800028\setup.exe --server-tracking-blob=MzY5Njg4ZTc1OTE1MjcyMTMxZmYwZTk4ODU3ZWE4Mjk0NjQ0Nzc5MjcxMWY4OGZhOThlNTU5YmNlNzA1NmJiOTp7ImNvdW50cnkiOiJOTCIsImVkaXRpb24iOiJzdGQtMiIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/ZWRpdGlvbj1zdGQtMiZ1dG1fc291cmNlPVBXTmdhbWVzJnV0bV9tZWRpdW09cGEmdXRtX2NhbXBhaWduPVBXTl9OTF9VVlJfMzczNiZlZGl0aW9uPXN0ZC0yJnV0bV9jb250ZW50PTM3MzZfJnV0bV9pZD0wNTgwYWM0YWUyOTA0ZDA3ODNkOTQxNWE0NWRhZGFkYSZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRnJ1JTJGZ3glM0ZlZGl0aW9uJTNEc3RkLTIlMjZ1dG1fc291cmNlJTNEUFdOZ2FtZXMlMjZ1dG1fbWVkaXVtJTNEcGElMjZ1dG1fY2FtcGFpZ24lM0RQV05fTkxfVVZSXzM3MzYlMjZ1dG1fY29udGVudCUzRDM3MzZfJTI2dXRtX2lkJTNEMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmdXRtX3NpdGU9b3BlcmFfY29tJnV0bV9sYXN0cGFnZT1vcGVyYS5jb20lMkZneCZ1dG1faWQ9MDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEmZGxfdG9rZW49NzAwOTYzNzgiLCJ0aW1lc3RhbXAiOiIxNzI1ODAyMjIzLjgwMDQiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI4LjAuMC4wIFNhZmFyaS81MzcuMzYgRWRnLzEyOC4wLjAuMCIsInV0bSI6eyJjYW1wYWlnbiI6IlBXTl9OTF9VVlJfMzczNiIsImNvbnRlbnQiOiIzNzM2XyIsImlkIjoiMDU4MGFjNGFlMjkwNGQwNzgzZDk0MTVhNDVkYWRhZGEiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS9neCIsIm1lZGl1bSI6InBhIiwic2l0ZSI6Im9wZXJhX2NvbSIsInNvdXJjZSI6IlBXTmdhbWVzIn0sInV1aWQiOiI0ODkyOGFmMC1jZDc3LTQ0NDctYTQyNy1kNzY5ODRmOGQ5NGMifQ==
      4⤵
      Executes dropped EXE
      PID:2960
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\bundle.exe
    bundle.exe
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\rckdck.exe
    rckdck.exe
    3⤵
    - Executes dropped EXE
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\avg.exe
    avg.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\aj42ED.exe
      "C:\Users\Admin\AppData\Local\Temp\aj42ED.exe" /relaunch=8 /was_elevated=1 /tagdata
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2548

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
bdcf3c93c562d6f66dfb09a8d9eed847

SHA1
850163a4be51e9651cb7cb5d85d9e9fbc97a4ded

SHA256
a937f88d94db87b8146990b621eba1f7aea7bab8a5d4a792ca73bf04cd27207a

SHA512
50f445b76dc62b6c1635ababb61381fb82388f7c654b6c6f6aeae12542149651f5bced82273e1631096f7677c5fef5415148d3da6c5b0ccd19e0137fc6a5bbc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa0ec1bdac52e8853feef816e83bcfbf

SHA1
6704a1aa07d453e95ca0c001fbfd45a745707511

SHA256
325734ba5f000cea26530057f5832304503db5671b27fbd05652bf51d4a67f1a

SHA512
f38b47601e73e8e1bdceeb75284b5d7846b1e2c304f479ee4aaa37e7b4474a28e320e5a055414461c09e1af85b9e5b00b31b679c9d80d430f8a88db5dba8271f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48d89b212595cee911a24abfb295ad05

SHA1
feec3fbbf2a2c546a7413b2e6ce27e3db1b65022

SHA256
b08475a0b95768ecc139b13dffd547e8cbe51363e4441d3d323b0fc38ded99d1

SHA512
b11d77a9201e43c808bba3e46c9f3203da96bcbcbd4863ddfe21adfb34c75ed50992b2e2dea04564b95fdf70f69e5d9dd5f78beaac678c8271baeb5c51f63f50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb654be988e16a3e1345be8125c04f99

SHA1
833527faa94ee75fd095dd8b2360d5edbc0aba74

SHA256
e6b5a521a4204e16421af806260a445986996f98b86736e0f6d545698372dea3

SHA512
30708ccde42b11185a47096191ca9bd9e7bcf93b41720f751c5ad6be2c13ec79c52f8a2dbf3be24369e7eb0ae3407542d55b8f3836fe0caff20f55adff2a26be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0151005e80532753a1d3f5ef7952020

SHA1
ae883e4039a3c9be49d477495385f71dd7609f17

SHA256
0535cfbf7b3bf756de46763ccbd20defae0b0639dd37cf6b87ddfa57dfae99c5

SHA512
e6d3579fb5f57409fb7ef34df8de58ba8b5e35a4890d2b49d0a0e92b95791c1282e0847f180e945c06ca5790ce0953f52ef3ab9251a6d229d1e9666aa43902c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8edb14bf1ac467ee1be281648db3ed6b

SHA1
e251494b5b56c8bdf5373de76c79988843130e48

SHA256
3937f7217aeff08fbe7b92b8015028c4aa184aab2c930a289898a85b26bf588e

SHA512
9fa7b2b32ad91a6d576e3fff01e264b9e2642d051b37e169c12a53ca9c97b1080250f88db5c30d0bd395e46f065258ea52b1cdfc3a6d013ee0ebfa8849c7cfe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3585b8c95a4a105d3d6dc3030f60134e

SHA1
288a76c65e7baadee8cef591d0188460cc89aa0f

SHA256
fe54eff9e62dc80eaa7cfd61e56a0502cd91c2f0220edfaa352efc72490c8b21

SHA512
1f504fe1783bf4b6b0de0f82cacc5f040dbfd753453c0d311d39672ef9c393bbddef47a9430c18ea8a8c776a75f1ddf2a0f1c541a734f5db7040bae4d30b69c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
947034034dd11baf66a67ea3a8d755de

SHA1
bd7514ccc724bf02a1101a60aabd68bd45fabaf3

SHA256
24fec0050ebaa86636a8e247f129b9a1e323fbd2df6a079e3e22f6f3e56a70bf

SHA512
4522372ecff8b4bdf8a8a6da74170183924102b494a3026d2e23e2ab5087008769d60852d5bec80b45ea5663bebc2a4299de40fc21cb55fa13dc9848fe5cfda5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27e7e7fcc934f8841187e31767f713b0

SHA1
59fe571cfb61e2e4126b8704dbd1555cab66cd9f

SHA256
4f18b02237d0bf82014455b980c8e570a03aa5b6c4c072559082c6905c741707

SHA512
1367492e32644b1df9c53a8a2989c9597cc5e9e634a9ceb00645e76115889518f975ebf8d99082cb2e15ff8de2d8448f5859a46e673babe5120337e69902cf8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
743cc007f2ad4a4b4c5892b5e9be9964

SHA1
6885199e9242e51ef2948cd4523a47ceaf6784af

SHA256
8c5fdb3d24c0d4fd8dcf22d86980655c1c9f4722ccb2cc34365f31c5b9d66e3c

SHA512
6b826fbaa034cccaa23051d352d8ec8c135a3e10c08bf6ce18a7029739ed62c7a87e3f81c2ba5ff3aafd67547f7d2fe60f96ead2db7750359eefa6877ecb3cf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9522dc8670e1c97ec8cc550180947b0

SHA1
560759f078dcd174dcebef3da40ee5d1e5cc14a5

SHA256
e87a9c07f14f5d1c6756a3d2cb42e2c25b30cc884686387752480ecd863a046d

SHA512
7c3c2be27586e8ac433ef8aa7d12ce31aa4011582ab390bcc1b05c68591d17b7cb20606c50464c1658bf5004c2e10e6555b7f475fde856e52705ec3a2ff0a345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17aad4b228bc8236308734b43e74d865

SHA1
ee9bfb5aea7e34f4fc1e2e6c382dff922c22faa4

SHA256
af94eead6d39b80e070a9a3813efbb4895777bbe064bf1a9e23131df0d8d5451

SHA512
0c9f0088b4c6d68e83a203d6c41426d33291fc434284cb9934bd51656dcfe3473ff70d66442b147f4b1016d4b4150f6c76472642de4d3ceaba90f97b5ff42118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aad9d80446c2a251b8309d703494ab84

SHA1
648b8e44fe0d49d1070385d1f7b60d0d48f80a25

SHA256
3f7dde1a213a67628d2a9a0b09b967fd52a441f43d8e6d82aaa121d2d1e64b46

SHA512
6bd008d61c87a1141179f2d64768d0034ebb7b2363a3e180f131a0bff77c642360e573cac1224b092bff078ea480e154e719f6a504ca9bcda4e14f744099c196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b984c7d41186c3d9252fc71aea2c6df9

SHA1
25a07ab47c8a8680d945f157f9e0ad864fba86fd

SHA256
3c2fed721de1b6f52472d29ae7bc5b1ef41e930b0c4daa3aa1ed156b272e422c

SHA512
19e424ae419139839d2fc191a861c9ab30b0ea422df440575c1ad4eeeff9e3aa9c982a7a309802f1e0f54bbbacbf35a8391e6ce837c955226bc3580d28ed925a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd61667b39eb8e738a116703781b4d6e

SHA1
95b1324355ccea0cd9aa846013734e50ec2e9b94

SHA256
21fe28ac93e201cad257373838d3a312ea57785d6e43628ac178b1044eff5e55

SHA512
2b2ea06937f58ef8f14eef2b1ed8398ab0213084ec244d5ac5283f4af840f7e18a63a10b6521a14bc018c0747676d365ab0d2e09bca681b66bf768d6fb8c00e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14fa6ef7a5550f35838e594562874b4a

SHA1
d63d9bcd890a5edd6fe24f433abb4f3d3096a3ae

SHA256
a0e1ae160a97857e4c3611c0b4c10b9fe0bb99281795d8fd4595d7fd6d3cdd9a

SHA512
2127b1e5453d85c10e891f1b436f2feb9220a7f5994ef7aeabd563ea5afdcab28a2e782e9d279ee8b911de67d85b02ed90a3f816fdb3d69ff4cee84631946722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f72b2d2563e2d1cdc512817fa8df1ab

SHA1
79c590e149663ce396e0111bc2a0df55918d1981

SHA256
f0aeda634d94c2ebb94a78166465029a30f599ce94168bb820a4c934d1e7cdb8

SHA512
bcba7ee5823ee48fc24ea33cf74b8888db4b40adb3fa76f1417c7a2fd9b400818cd06143a9b2747fd6714d83af9a05f825b7d3d1bc0207b29c48e84155e42274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba0f864b7f7ccd1c8bfddb03ac546f23

SHA1
f0b263ef9dee28da5267a550bd56e3549e7dc6dd

SHA256
cf840bb28f8d8905e1f5aaf0c2a6097de46a506ce72dbeab1c932b4814351220

SHA512
9052be44092b94e66a9466f958bed8ed8ed931d10f77ec247269a5ebec428baf3bcc0318e98dce018d7033fd6d2524501d3645a4f72a6912c48b0b8d3634033c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d095e3c1a80a294f20070e2fbc8339bf

SHA1
681fc90b42a07d6f3abcde8005af3222f991dd07

SHA256
2d99f35bc0844c3b196815aedbe755b88790e7dfb7e3e679eb97e7f640bf0b19

SHA512
b767868eddeb6ac225ab2cccccf28a00a04eef6e8fbc517eedfba70960d2f2c5e30fa83a39c5bf5c4185c9f35fe670d4ee9c2c206e07b87bd672c56e816eb212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d8609d17e49d5f6cda15fb58dc776d0

SHA1
4b21a816e768c0b06e7901d9ff5fb01416d8496a

SHA256
7ea8644d7598822aebb1a45e9fa3b2392d59dffad95ed4c0e5a4fe7a4bb46c98

SHA512
f770c55c7cad58d3d8b556dc1676bc2bad5fa9cf161ebde328a23c75e7d9964d575a2bcd094ba0bb3599778d379c238d2807eddb46b18a9d08790e33a464a3d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7706d446386a885b3e59451091cc6f3

SHA1
afbee662847d9bda8e467c429a21184f4f0e548a

SHA256
0a45023e3b431ffd3cfbc9cf8371cb0c04c83ef1803e5674a84d4484f5b75112

SHA512
bbf0ae2ad5534287b1a46e32f292fe82d6c57090a09a195d4a157055880533735bb1eecab0c0fb6c64615246136f2832bb6cf8a47f3c72bf3002ad63967f83ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9af842e947d3f9487c6f9599280d5a2b

SHA1
b1ee0d9f42714baac8b891e96d7318616c2880d6

SHA256
95b447a6f72365062240c3d29572ba6990a03e901934a00062e448cc5e0689a8

SHA512
0f1e3e143bc3f79187c34a8b5f7f99725414a2904c30c579633d3979c17001b2e82b06b524b2fb620654f112ce1dabc7437840d9ab57fc9d23d318eda3227317

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d6a334365e15c473cbecda1544765a5

SHA1
6035640319c9e8be29fcffac671d2414454cdc4a

SHA256
c8c3d51cae4f8bb680251b5d9ce41e7972d8865dc7d6bf325dee186241bc267b

SHA512
dcbbfe05690da551b056c48d17c30932b71eac996f8f8732d8ea22ce43266ded3ddc1cee80317a2218067b16a6cbe47f0903314828cfbd21add16418a83f7794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9C6AC7C1-742E-11EF-B8EC-E699F793024F}.dat

Filesize
3KB

MD5
061da7ac0243c4fb9dfb4662043048e7

SHA1
69f4fee2da0095d1d146766f5cd9e9c7eec41c81

SHA256
038a89dff76456c3d38dfd9d17da3e54356fdb604f8476890a53df2c2523a4ab

SHA512
406cb222070c9c2f6c71b0932cc2e30517c30eb55eb96466ae7edce6e7e169b22e92716a06ba0a098d4a508fd12923e47367026d1ac248aaca76364e5dcdf647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9C6AEED1-742E-11EF-B8EC-E699F793024F}.dat

Filesize
5KB

MD5
af592810dc84161b941b52d00d3f3f2a

SHA1
c64d3dff4e118177de0a9693e97dd4dd3694ec7a

SHA256
361f75660932fdd784e1c08b26434205916000c242d7af6c2e1039affddc6998

SHA512
7b5d036079e0697b7187879f8293c5015f65597b1373888a5baf891df59c71ca4000737391c17883a5051b2a254ac01fcb13f92d314f21a43cae644f4206c351

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\!m.bat

Filesize
1KB

MD5
61b00fa9f8f30bb8324ca1a5fd042c73

SHA1
44afb5a0f288d8baeb0f667ca7e978e48174e36c

SHA256
7cf9aa4c080eac793113afce38a5c8081d19c51f68955ed06ebba73de7509b51

SHA512
3db8cb8fe6f60b0424217cb50a409b5943e498313c6f8fbeb1074e945dfb92053313509235d5f13f98edbf0cf76bb9aefb0d810fcd51fbe9e4e52b9162135e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\PurchaseOrder.exe

Filesize
934KB

MD5
f7f32729079353000cd97b90aa314cc1

SHA1
21dbddeea2b634263c8fbf0d6178a9751d2467b8

SHA256
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212

SHA512
2c40c12b81e7c377ddf0a6691ebeedc895dcf02c9211a1563b840de735fab77968565b1d3d0c40cc0b2b583fd4bfa1c69f995fca758ea85f548bf5797b5bf847

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\avg.exe

Filesize
5.8MB

MD5
0dc93e1f58cbb736598ce7fa7ecefa33

SHA1
6e539aab5faf7d4ce044c2905a9c27d4393bae30

SHA256
4ec941f22985fee21d2f9d2ae590d5dafebed9a4cf55272b688afe472d454d36

SHA512
73617da787e51609ee779a12fb75fb9eac6ed6e99fd1f4c5c02ff18109747de91a791b1a389434edfe8b96e5b40340f986b8f7b88eac3a330b683dec565a7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\bundle.exe

Filesize
429KB

MD5
ae4581af98a5b38bce860f76223cb7c9

SHA1
6aa1e2cce517e5914a47816ef8ca79620e50e432

SHA256
7c4b329a4018dc7e927a7d1078c846706efae6e6577f6809defaa51b636e7267

SHA512
11ad90a030999bbb727dbfde7943d27f2442c247633cde5f9696e89796b0f750f85a9be96f01fa3fd1ec97653a334b1376d6bb76d9e43424cabe3a03893ecf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\code.js

Filesize
4KB

MD5
016bf2cf2bad527f1f1ea557408cb036

SHA1
23ab649b9fb99da8db407304ce9ca04f2b50c7b4

SHA256
17bb814cfaa135628fd77aa8a017e4b0dcd3c266b8cdca99e4d7de5d215643c0

SHA512
ac2d4f51b0b1da3c544f08b7d0618b50514509841f81bc9dad03329d5c1a90e205795a51ca59522d3aa660fb60faae19803eceeeea57f141217a6701a70510e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\doc.html

Filesize
15KB

MD5
5622e7755e5f6585a965396b0d528475

SHA1
b059dc59658822334e39323b37082374e8eeaac4

SHA256
080cb8ef0cbf5a5de9163b365eec8b29538e579f14a9caa45c0f11bc173c4147

SHA512
62f5abda3473ca043bf126eed9d0bcc0f775b5ac5f85b4fe52d1d656f476f62188d22cf79b229059a5d05e9258980c787cb755f08ca86e24e5f48655b5447f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\download.jpg

Filesize
8KB

MD5
01a5131931ef35acecbe557ba13f3954

SHA1
c7afc7590d469432704d963ffcee31ad8bcfc175

SHA256
d364872ddde28d81d23bb3b08f9e86f921b542f3a35fcaf12549cf5666462bd0

SHA512
ce32352484d676bd0f47c24808707c603fe9f09e41afd63d90f07599f13a5e32c73b0970a9964632f76f5843dda87a033340ee12fadd87b9f219329d0c69b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\favicon.ico

Filesize
5KB

MD5
e0c7cc30d8f9a3cf0140bf838198571b

SHA1
2494a9ab234b90ff0a3cc2dbc152483fb540afd3

SHA256
73bb7f4a70650054fb42f4c7ab85d9a683253a0df26703ecd4a2bb3155d93cb4

SHA512
7b87a3296fd984d89dacfa70bdc274ed9faf553c3e086d3e865ed7a2e55f92fbb55bd270a5863ebb6b95f3ce26d321b5936665741300676863f40111b95a6e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\fence.bat

Filesize
167B

MD5
6465a5431e01a80bf71aca9e9698e5b0

SHA1
d56ed108f13a6c49d57f05e2bf698778fd0b98dc

SHA256
1c5f05fecfc1f4fd508f1d3bbb93a47e8b8196b9eded5de7152a6fa57ca7580f

SHA512
db7f64b8af595d0bf6fd142471868df6d29ec7cfbb49a7e0da63d9bc8ca8f319e4c41f2c7baeafe17a3679861163400ccb36c18617982b244aaf482e9c264e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\flydes.exe

Filesize
833KB

MD5
b401505e8008994bf2a14fdf0deac874

SHA1
e4f7f375b1e88dd71a0274a997ed5d9491bde068

SHA256
6bcf6b84d71737787e3cc8d9d0eed9720f388cc2d0337832a7e8ca3c6f455a41

SHA512
1bca98547ecf5a98d42b1d77cff50ca79ee560c893b2470aeb86887fef6e40a5ccdb72956f04a1d2a862827eebd3b7746e3043f3e6209597dcde9385ed55cc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\fries.jpg

Filesize
12KB

MD5
c4d9d3cd21ef4de91abc95f99c4bc7dc

SHA1
b2cf457237c44c824068727b8440fe6a352a360c

SHA256
6fd1c3bde9a6a478e39d1cf2121e980c0bcf59454fe1673d707aa70170953bc9

SHA512
d10fbb0bdfb30160484950aa58bd2f97c38cf2d0914550b4041c9acd273e8013920ef1ee74216f92437a44ab81111a4c70ed3dc2df680ee4d187c22557900ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\gx.exe

Filesize
3.1MB

MD5
80bf3bf3b76c80235d24f7c698239089

SHA1
7f6071b502df985580e7c469c6d092472e355765

SHA256
2b95e56af10406fbd3ecee38dab9e9c4a9b990d087f2ad2d7b1981c087829da2

SHA512
076b8b6a80ea15738ce682cc715792546582d7a74f971f94f6b5b9cf8164f01280322baec7f72894ac4b8d63b9f2f6074e8fc5e47880ef6c0b57a47beef3581a

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\images.jpg

Filesize
13KB

MD5
49f4fe0c8646909c7cf87adf68d896fd

SHA1
9193264c38e5ed9fa0f5be1d79f802cf946a74cf

SHA256
9292dfcddc9e88e5dbc095ceeb83ce23400a3405a4d47fffc80656941c87d5ec

SHA512
9df4db8c958110cea66f627170919346ed673d3c13aa55292484fc74ebac2864b0292cd4d66d35957b4b2740b2fe30ddfb9d9e04115d655fb58bf39e100d285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\infected.html

Filesize
972B

MD5
f48be9db7436f1c53508f1ad70064459

SHA1
16b20d3933cc6398859f1334a848982cccfd8501

SHA256
f79460fad80962fabe51f271a2ad33fd54c418fbb0a8646c1d78654696d7d7b2

SHA512
c7870b4fd16827817fa16c68f9d1a51270cfd9dc052861977a12ffcbc91a1668c82f168f8b33661d68579cfed766e15d0e436794d0eed164946eb9927355b638

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\nuggets.webp

Filesize
32KB

MD5
e40209599b592630dcac551daeb6b849

SHA1
851150b573f94f07e459c320d72505e52c3e74f0

SHA256
3c9aefa00fb2073763e807a7eccac687dcc26598f68564e9f9cf9ffdcd90a2be

SHA512
6da5895f2833a18ddb58ba4a9e78dd0b3047475cae248e974dc45d839f02c62772a6ba6dfe51dd9a37f29b7ec9780e799f60f0e476655006dec693164e17eec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\rckdck.exe

Filesize
5.7MB

MD5
e92ee999533998d0a7e7eeb7ee27cc1a

SHA1
903257ae4f0b055170e631f8306d143d6af5ebac

SHA256
60e28665e9a59738cd5ff1086238c9f08690c170b1927d478ed23acd10afa04d

SHA512
ef0759f9b6bd3608cc64a59e6c4be73353dfa63e33f2cb8604a7e83f849f2686d399956a7b26d30bd1eb58003bf6c32d9be01435ac463b431d99d2d5f64782c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS03800028\setup.exe

Filesize
6.4MB

MD5
defd30ea336650cc29c0c79fad6fa6b5

SHA1
935d871ed86456c6dd3c83136dc2d1bda5988ff3

SHA256
015a13bd912728e463df6807019b1914dffc3e6735830472e3287150a02e13f4

SHA512
8c6ebbf398fb44ff2254db5a7a2ffbc8803120fa93fa6b72c356c6e8eca45935ab973fe3c90d52d5a7691365caf5b41fe2702b6c76a61a0726faccc392c40e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEF22.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF34.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LC82O.tmp\flydes.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3B8C.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3B8C.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4388.tmp\CR.History.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4388.tmp\FF.places.tmp

Filesize
5.0MB

MD5
4c6b96a63ce26be74c69ac9aba134c92

SHA1
96c525141582bd9be736a1a664290e10dbf746cc

SHA256
0cd0934c0d26e45d6a878470ff659ff53a3800da396065e129c249273a8d6fff

SHA512
719180cd3767657637507e37038f9ff63b652f34e6fc22a82ac025cbe91df2a984cb6fec9111e8894c9a89d911a34049574ef2991aebecdecf6097420111bc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4388.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmp

Filesize
1KB

MD5
82066d030b603c90af2f3723a5e05f70

SHA1
fc61477405bd81e211425c5f38736b26f16c97b8

SHA256
2a994b9f7cb52a79cc8efe1c739f7ef72ba39f5af0f01b9db460e165edb75df4

SHA512
ae831f26d4e19a0f17418613618e679220133c7e98e86c21fecd95e7db22dc950d023f2620a41d14eda5d6aeb0a7849f23cfc7d8d5a174ffd79e7d8bb9b27fdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\071826223749B945ED09EDEB4F888C1BE81F520F

Filesize
1KB

MD5
6d78166cb8dfae77d8227ce9319cd3ae

SHA1
c1143193c09c873d8bf288a9038ecd7bd245c98f

SHA256
b42072c1d5e98ed235d91440554ad1f2a3fce0dcc0282f63e3c0aea6d0a64583

SHA512
5c40611c125200625a27dec28f8ba0769959a8e158242564af6ff6596db17b0927a79bc98045b4001e34e227b1638a2b0b2bafb187bb11b057afb849d1fb1b96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3045195599833bf46c26ce2af0eb9b0e

SHA1
a08ed9ab61ed1c62fe8d6c121d931d1e8a0a4fc1

SHA256
2be99d2810fd27b7bde1418f86bcdaec0e431f4c57be2bfba41132f73b507a99

SHA512
7514a0cc94aaea081073de43dd2ace8e8726c8e116ebc66bf205928b8dbb0a10fa30795f3f44f4af789c1b452f36ffe6a526968ec348a6447c736f6912850851

Download Submit
\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\anti.exe

Filesize
1.9MB

MD5
cb02c0438f3f4ddabce36f8a26b0b961

SHA1
48c4fcb17e93b74030415996c0ec5c57b830ea53

SHA256
64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

SHA512
373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

Download Submit
\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\butdes.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
\Users\Admin\AppData\Local\Temp\202409165d20d04ed7f6024bed1388022efd5eb7cobaltstrikecobaltstrikehijackloaderpoetrat_6ad6426f-da6a-4faa-a490-662822cfa5e6\i.exe

Filesize
12KB

MD5
cea5426da515d43c88132a133f83ce68

SHA1
0c224d0bb777f1e3b186fdf58cc82860d96805cc

SHA256
2be7a0865ded1c0bd1f92d5e09bb7b37a9e36a40487a687e0359c93878611a78

SHA512
4c1f25147222c84dff513bebf00e828719454ad634ef9380cfc7835f0457a718b4b437ecb60c1fa72a7f83fbb67e1ddfcd225194eedda77034c72f8c752c642c

Download Submit
\Users\Admin\AppData\Local\Temp\aj42ED.exe

Filesize
5.8MB

MD5
c79bb78a0bad2559a7037913dd1f1f34

SHA1
a5b36348ad93fdf971201f31136d8c9b056984a7

SHA256
f63b47288af395ac9c02c980592691e2d446fe8b4d3813007433ae262af693c3

SHA512
1bd81cbe784427e54903159225e0fd94c0fab1d9498c11db177d86268f34129e6835759a9a3e3822c717349043930e13168390fcc2f9a74f9699f14497cfc888

Download Submit
\Users\Admin\AppData\Local\Temp\nse3B8C.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
\Users\Admin\AppData\Local\Temp\nse3B8C.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
\Users\Admin\AppData\Local\Temp\nse3B8C.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
\Users\Admin\AppData\Local\Temp\{78DA8A3B-3F9C-4522-BD9A-68E5E55676A4}\scrt.dll

Filesize
5.7MB

MD5
f36f05628b515262db197b15c7065b40

SHA1
74a8005379f26dd0de952acab4e3fc5459cde243

SHA256
67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31

SHA512
280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

Download Submit
memory/1348-1195-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1348-1267-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1804-1269-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2024-1223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-1221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-1227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-1230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-1229-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2024-1233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-1231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-1225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-1266-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2268-1191-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2288-1206-0x00000000777D0000-0x00000000778EF000-memory.dmp

Filesize
1.1MB

Download
memory/2288-1207-0x00000000778F0000-0x00000000779EA000-memory.dmp

Filesize
1000KB

Download
memory/2432-95-0x0000000000100000-0x00000000002F2000-memory.dmp

Filesize
1.9MB

Download
memory/2436-1260-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2436-1423-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2532-98-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2532-69-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2532-278-0x0000000005150000-0x0000000005250000-memory.dmp

Filesize
1024KB

Download
memory/2768-1268-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2956-111-0x0000000000BA0000-0x0000000000C8A000-memory.dmp

Filesize
936KB

Download
memory/2956-112-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2956-1208-0x00000000056D0000-0x0000000005752000-memory.dmp

Filesize
520KB

Download
memory/3068-96-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/3068-97-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/3068-3-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-2-0x0000000000390000-0x00000000003B4000-memory.dmp

Filesize
144KB

Download
memory/3068-1-0x0000000000870000-0x00000000008BA000-memory.dmp

Filesize
296KB

Download