Analysis Overview
SHA256
439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d
Threat Level: Known bad
The file Ransomware artifact CyberVolk.zip was found to be: Known bad.
Malicious Activity Summary
Renames multiple (2327) files with added filename extension
Renames multiple (877) files with added filename extension
Renames multiple (147) files with added filename extension
Renames multiple (221) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Sets desktop wallpaper using registry
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: JavaScript
Unsigned PE
Browser Information Discovery
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 16:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20241010-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Cryptographic.js
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20240903-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\ransom.js
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
Network
Files
memory/352-1-0x0000000000400000-0x00000000004DD000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20240903-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Crypto\RSA\bigdigits.vbs"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Cryptographic.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\ransom.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.30.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.30.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Renames multiple (2327) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt
| MD5 | ce7ff0a9361571a2dcb08f50500ace3f |
| SHA1 | 5d8bed459f55a37e2fcb801d04de337a01c5d623 |
| SHA256 | 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee |
| SHA512 | bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc
| MD5 | daf7226db8aa259f9c7e65a588533919 |
| SHA1 | 805b0f5e8b7e02d3b6995ea6a7d98561465b6f04 |
| SHA256 | 22f295ad9bbd34ffbe8db79fed3743f096e4243affdeb09176fff40f02be80b5 |
| SHA512 | 88eec47efce9a744c73747640563bf37d4ea63dc7164d54c59dc3854cbee6ca6d4b85508856a13d8784da03d6f10dbff5dd6cbafa999b0e4e0d4302f2d7e03d3 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.cvenc
| MD5 | 782080dd7036ce7239bce85bc851b5d0 |
| SHA1 | 018c130569353f51825b558df8f5def69885d9eb |
| SHA256 | a5f601353bf48b520186466a17f9829ce00c6c4c5cfc78d985cd75e3c47c6a49 |
| SHA512 | a19f2d1a4e1ee8819b7b76c54119d2248d1cdb0698a59edf253cc5f9dc898257e10422534df86b03a3bcc61d1198b350316da232aef0c83e92bbd352e9f853d9 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.cvenc
| MD5 | 31d6b465e16897b299a96f2c0ad2bd82 |
| SHA1 | 554cdd09bd77ade6df8618d6c8e896af35286f15 |
| SHA256 | 31dc77773e13868ed58752e571c2a921954ab8538fa02a9d2b8fb1e1350750be |
| SHA512 | 9ca0d1210587a748fba4bb776f576c1a9eb21d6825b4919414ecf6e8a14ed6ec77fba01f23dab37b386c7ce124e461b0e1aaf2f66fa335e308bc9a511e4c1766 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662742439442.txt.cvenc
| MD5 | 05d705748ca8886b4a04e7a32311dd55 |
| SHA1 | 42cc7576e81cb32bbab40decb7a4061e01768605 |
| SHA256 | 5a28338f4dbd6dfb8fdf92c6e652351d6a68fdf8f4a609b4e6d23ee88df0ccd9 |
| SHA512 | 098adc6de6adbd3150192430340fcefebd7929b61d6195c35f1b6ca00a244d290664fe91830a6ac06e4fdd7539a6b2db52da9fde634d358cbf98f43d0de6b1ab |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664412580892.txt.cvenc
| MD5 | cd9fbd77b4b59fc4618d1f4a430ac57f |
| SHA1 | ab1b21b74be7dc2b2573d3dc810038fcd75cd620 |
| SHA256 | 70e329ba9a0f385b60c65f03d01a33a0efe3649696638ca982edbff20617774d |
| SHA512 | 07b4113eb9e43ffa64a89756013aefd7392e86201836f3a839d0a944dde5354ebc5c6de5a7ea613d176c8a798395ef8e3d6cd0ee60b3ed89cf097c3df06a9d75 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670038515250.txt.cvenc
| MD5 | 813d44f20f500358738400763ff3bce5 |
| SHA1 | e1fad2f9d1ecef8088107c0aefebf33dcccfd5fb |
| SHA256 | 5c1d09b49db54ffedd968bd2455df9bac902bba14be1abfa897a3979710ca483 |
| SHA512 | ed280ea7f7547e514e4bb42e97b41aff947275f3c0eb75f7f2f0579edca1c87f7352636bd482422693a2db77131a6e3c4265a20b7f1a32b9c9d7ca663444ed73 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
| MD5 | 65127e2cb1133c8ca572df0e6e01bf76 |
| SHA1 | c860a5618ec87e0bb1c313ff8e210e97e6c9743b |
| SHA256 | 1b4e463d3403f985392a2e761e1f3880342af39c5152bca33d9dc2c31e2aef40 |
| SHA512 | 4c7c0fa9990d26b20275676ed0b6063599ee9fd47ed82e7f5d46cd30dd2879172f45f526a046a0d42959cb63775311af027a0073d08e2475843ef7daede3b997 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | e36c72761b575374e7d7e63a0333d93f |
| SHA1 | 01b61b9ddd5632f78edb1bc40fdfa6d6aada083f |
| SHA256 | 2fa8eba4e72866823c3e963389d1d3a58d1bf10b6bb427b384b914a3629af429 |
| SHA512 | 12e4fad54c218b0cc59fc1643ef6af1c8c08a74a05f89fc10c9cea53969aad214711086578efa1922c72bdf375cb5753a97fd98bf9bcebd86190a6e9b7b44550 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 3dce18d1998152eeb1b5fe47ab64cf1d |
| SHA1 | efad6be58d515eea49e17255c0bcf823af0c32ae |
| SHA256 | d24b87329bb09b449a89676a4e96858c289cdfad521c03fb9ce166a83aceb603 |
| SHA512 | 18d86fcc385ffb4265e824effb38284bfba6942ee431be2a4505a8b9f6d5715823516d6321a4ae5af0760533e134906394b9fc762550a3013fc57cd0b52fbc1c |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 7ce5417e80aef872ba20917011e39416 |
| SHA1 | 4ce45e74ef4a8701eaaa4e8fb17bab705ebd772c |
| SHA256 | 987f32746376de3fa8ff935ec01448a5936c8e222ce383cf89b4dc2ecdc67ea8 |
| SHA512 | b9926371eb5022b27b43e08bb30040cb4ed8938e0ab7ec0495a9ee176faae0e9ff6f392d801bf6c610080813568810202364100273883e5057c2ab3bd57887ec |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 777066aaeea6e03fbb578ac132b6bf02 |
| SHA1 | 70e80e691f225404bc21a65e319bf6a1d17985f3 |
| SHA256 | 7e93bf8ba9708c55865983f7a83a39ac766ee84bccbb1df4d9f9a37e7b3bdb43 |
| SHA512 | aa050b12122bf0b0fd2d8282dd70cf83579e00f2afb2df78bef719ded707a9aeb920184f72635b64e79a7cecee6228eadba8a216264f05239689f89ec2a5285a |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a734ad8883f2ce5db79f678149b8d6ed |
| SHA1 | db2f277d3f22707160ecadbc85fdbf36f5e16775 |
| SHA256 | 4b9647fd16286b9d48f8957d016408d48324837a2dc4726070225737e5764791 |
| SHA512 | fbaae4949b92ab773efb546ae8d161e828225c911591853988fc876cfcb1d8436084981285fd6c9e09bc89a95a3da37686d439e3db086ab5d4eb43139270e00a |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | db9488b8bd624473f2001f5ca6a1551e |
| SHA1 | 7dc1e1a4c76403b5404918eeca098b12f11f7596 |
| SHA256 | 45c08529fc638c300feeb27a726d997626694ac3793087acc34e51f0a6e170e8 |
| SHA512 | 2d65e85357dc5a292a7969581ca95ad8551b476501b3311065b29fca333addb2f4d5330720de52196bdf7b6d35a8ed562f43c4091eeb783d2b82eb26decfe445 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | e939047fc28d6f8d31c08856543a7367 |
| SHA1 | ac6723d395934525f7cedf6eb7fb1dac250e0095 |
| SHA256 | 23d73ca299f02110f10fe0b18902fd2ea5ad124d3a061f110083353b3899c369 |
| SHA512 | 14de170f67715706f45c6581f81e33742fac2b197d4760ab868602722984dbcd58ceaf6a653ec4021f6044bd4868df0cce8f05b0cc5fddab01c2397df97fdcee |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a5bb29b6db3cc79d1399321f527a4d3e |
| SHA1 | aa0bb9d708ba1e74de71ebb44f25dfeaa5f74a66 |
| SHA256 | c220777a3969d97f8c08265becbb6fcd9bddfab7c48456e450fed01101f16a76 |
| SHA512 | 7880b3355af9a479bff7ad27e8c76bc145287fcf1127cd9ae043de1953bbf35d8a3b00ba7f3c1d1c833eec7e0a9afae8ca528fd9811f37d55162552142b392c3 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | d0dcf063a9c7678ef849da47e7b5c359 |
| SHA1 | dd1d3f9db21c852aa5ce97e5a9f64165ecee7ed0 |
| SHA256 | d46637522853433efdf1806e2e5336c312d5ba0ff0a32b80468e96b8abf11c04 |
| SHA512 | 2aca0e320da8db3720328d7fdd400ab23259acff084de43c4a18c702599e40c0286748b7c0cdc5b9cd6081453824b0e3311466c8f3db841ddeb1594b43c1feed |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 619d6b6bff9a5152560ae73fb2264006 |
| SHA1 | 791d6736d22916e74b5f4c1e486aafb9fccb20be |
| SHA256 | 5a8bbd7a0887dfcfee9cd1f97e7ba9e568741cb632f3121b5b7d4f3e90e85b79 |
| SHA512 | d604b2abc14a450ed963ac334eb0d1fd13cc0e4b08a26f1ef4643824e18f3aaef3c60f616fb344a2f3b53ec4097446827d5a9864acc8d12c30016efc0712c6b5 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 81b69a02d9469be08c2426117991d9f0 |
| SHA1 | c3ab5823761fe40d6dcd0a01bf4f0a944fa0b628 |
| SHA256 | d6e1d9c927753981079ade4b46eb23e9179b89e3b13f06f025b3a798d63b6c0f |
| SHA512 | 3e3f7b87217408d6910deb23acbf0ca9246f7bbd61ec0686b1d12a4e4c66795a89886764df8962ce9e3f5d90347614d7883ea60f314be15e34b292ccf808746b |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | a52357f1ce8160dee6563b6a3391ffa8 |
| SHA1 | b73819a7e2227bda306f42ddd029c72406b1f55a |
| SHA256 | bfed65e0ee3b331187d31bd503dcbad42f17bf749b37c34f64cf8bbc3007073c |
| SHA512 | 01d5c13702803762b4e163f6f03c5d5f46b81e4c2badbee0cd2e463f53f26fee98895278061ad078f61e9b28d1057fa3f576c17ec9171ee57a743fcb14fd65db |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc
| MD5 | 3febc8d798a6ba3005d1b603cea13188 |
| SHA1 | 33c6833640170f18f9f8cd397ae553bcc379566a |
| SHA256 | 98bf08f4d138b4072fdadfeadc620369ac553124f26d8686a52ddd71d3b63b7c |
| SHA512 | 71cdbc8691bf2ed8752bd35299f5d4ab31ff8f3d8b65038e3b0002d20e8c62922a9e7415cee5f4490b50b28bd3d09837625bfa6b36e9429198e184b6ef80f8c4 |
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc
| MD5 | 2e56651c29d480449d751f90bb6a374b |
| SHA1 | 2aa3e9df3425c32f26812d10fbdc97555eaf8c8a |
| SHA256 | 3d340b6be3e0d6357a8c33a922ce1f0bf7bba6dc4090030152e0607e507dcb55 |
| SHA512 | f7c0ba996a2516350b7b7dc08fcfa53384defface7bbaecb473ba1d8e45955c39be38436db7473f7f2c26623ab97116334c07f996dc8a33e80b7807a954649f7 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 70625b0985a7b4378d1aa0077176dc3a |
| SHA1 | 35710ebc51a11f6d2147aa31501bf8e54ef4b68e |
| SHA256 | fd3422d11e9fdacf030f74df8a97aef973337371c49d6746fa29e06a4e54888b |
| SHA512 | b45318d77adb8bd37d6b39b6e876b65e6fd8b74f06c773b73cd31a3b5df927dec02170789f0000c63f637d85e51212135f27ca3f06e7cea707dd21357f737d58 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | f678a3b7005a6251cb0cf3a28f523cb3 |
| SHA1 | be95a3f025e6dabeea687e46dec4dbc2dbc56afd |
| SHA256 | bd41cbdc04707f80b319802470a1871b99d36766f9d020cc0f9a569a4d1bb54b |
| SHA512 | f51336743b3de543c0e4954b87046d36e22517cfa35f071b79d86b813177122f63488a809cc323dd86dc831fef90066954666f9388f8bf736c15eda050c9f21c |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | d8ac3b01ba19729174a8f1e63c9e937c |
| SHA1 | e40192d86760273f0f1f13bfe0609f2ce38fb56d |
| SHA256 | a5f6e28cca214fb60a873fd4b27ea02bbef08b5bde05f4ba831b790a54a2435c |
| SHA512 | cea558fdb51a2a7d85758b01c834896f49849cd7b018a5080c6213a60e94e89d70b0d92e466e2844828aa6566115ba6e21a6d69d833186a6699d45dc7bb6c9ca |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | eb4ab9e8db10f6fd9c9a5085f3a75fdd |
| SHA1 | cababf2bea2f1f0fb553b9d65dc2cde33a225489 |
| SHA256 | e20c996edc342b0e8fe4abe8a1b4373ae040e36b367cf6188e43d04950b7f6c6 |
| SHA512 | ccf44347376c9d905a5729478d1cf6f94b4f72c9119da4cb91649a57db62746cb874c929603478410397a2317397941626a10399b9e7e294f551240473422c70 |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 632245ec65eb39b085d24c066adb2729 |
| SHA1 | c9a297c7ea13ef7d87a658734126e574a02ee2f2 |
| SHA256 | 4b9d476385096c42149ad8a1b35edf317f99c9d61ffc348d8950ab0c31cf543f |
| SHA512 | aaf97439bbe7dc9246d33b5e6907e6a74e17cc32642f4863660e99faecc2c65a421466dcd657f454583c2e8971477b6d3deea275ab2e0c0d969196ff38c241cc |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 6af4fc014bd8b2c00572f5149fc7f522 |
| SHA1 | d99e5cab5b497f41ab721d93fd8645d4948090b9 |
| SHA256 | 9c1ee8df1c0a91f0259f13024069c7fd8d7601df3b4b305f358bd8ce161aedb2 |
| SHA512 | d30482778d27953f1c8dff78eaeb2f4ac14da5eb9149dd3519932293d9e4048a1afbc4ad5ca5c4dd3caf47e658706b07ff8dd25560b0f724e517811b2ba7f35b |
C:\Users\Admin\AppData\Roaming\time.dat
| MD5 | 2abbf46f3779778a616848a833a5f1d0 |
| SHA1 | eee3f9a3035a5e29734f90f010a4d0412f591ba1 |
| SHA256 | 438f91a3a02080977006d5b4ee2c29f6e0d0b58e848dc92712f3982a1449f481 |
| SHA512 | 1b2a34db69b83696cc61bd12cf006d79ba54065adf215877639a9c24fdf6f225ec249a43571039be537be306db3f607eb442f1a522dd5a205df0ee25684716e1 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe
"C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.29.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.29.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4540-1-0x0000000000400000-0x00000000004DD000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Renames multiple (147) files with added filename extension
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.29.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.29.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Crypto\RSA\bigdigits.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20240903-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Renames multiple (877) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
Network
Files
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt
| MD5 | ce7ff0a9361571a2dcb08f50500ace3f |
| SHA1 | 5d8bed459f55a37e2fcb801d04de337a01c5d623 |
| SHA256 | 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee |
| SHA512 | bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc
| MD5 | d1de577b1ce56dd27cac494d8b332ad5 |
| SHA1 | 83911368e58a91c70a11a7018b0f0e4875a81587 |
| SHA256 | f2272df51e9c9411bc77d6751bba929062d8650f77c63e6865c066db7a495c59 |
| SHA512 | 07431f68507cb5e964d86fc6502446d7f7c6797163b729d7704535f0f167257f2587cc5744d5f1d34a50ad5d687fffe3e7a20f0af252b5f3b3fd8503c0f17834 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.cvenc
| MD5 | 9dbdcf0e653349180f64452a1c29b1ad |
| SHA1 | 1a85c4ee7a5e00597919f4efb8035ec49d88590f |
| SHA256 | 5c2b723318e8b403db1b9b656c024c5c32eae2c554469071934137711d3df5f2 |
| SHA512 | 697c2bd4d15a90573deaa5e222fa195dd003a4c097d47322cddf8c5b225046a581dad912e6a5a21e5e29a51426003f219925dc28354c56b737fa8ca7d154e3e5 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini.cvenc
| MD5 | b763cf85bfa70bb63fd762b7afabe7f9 |
| SHA1 | 05e36ed564729fe06a8f7419f897ac76e6cb9243 |
| SHA256 | ea9a76293b195d7a5c859f670ca95ae8a92967408c85f625fcb855e343ec43d9 |
| SHA512 | 9e263abe914bb6923d079f5e3913c8801531f6b5a92ae784874d2eb49689df3aa6e978e37c3c5c652bb8c0e9f78df1570f6b3b9cc7e68bff18f6cbebe945afa4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini.cvenc
| MD5 | 2ec6f979d13d95746b4e63f22da8bd48 |
| SHA1 | 52ba665e439d7651e0a8938b4687ff97d73859fb |
| SHA256 | 4381605bb6547c8e82108526d595118607cc6a31f8be0c7de413a67e5e987e1c |
| SHA512 | ed63e624ee3cf77754aa9a4be2c135e721b8a1efd0680a8f430105c4da1528a7796a358c6f4b55c53a5a1c4e75e84eb48b5055d55bedabee69e034b635893170 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
| MD5 | 70b9498e5564a6b4c0e463d238e121aa |
| SHA1 | 401bd7da5f3220ccd7d3033ad3e41d762479cf37 |
| SHA256 | 74bbae7206fbe6e18fda6740d77e0e6266d69f863282e13148c4662baa82595f |
| SHA512 | 4a696d5354591f3c56dd14c0be95187a011731fe8eb7741da71b77ff0738457d52352c538ff63834b4f906db994428df1054c51f9c16192d702481d5b0a0d748 |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc
| MD5 | 9c4fc26dc3347657a018b49089a2e38a |
| SHA1 | 0c8bdde7159dba6633154243abeb9af2d7a25481 |
| SHA256 | 6532d2a6e16c09212c9ed61503f0b4c27a1324c5ac03d602261c604526d30fae |
| SHA512 | ba0a785c4cfb84d0b8e464d043e6ba12b7a95db2e4c92390edbaacab84bc1e289bbf4ae38d0c887103a698505b3859ce493d9026bb248055f37d50168152f161 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20240903-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Renames multiple (221) files with added filename extension
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | \??\f:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/5084-1-0x0000000000400000-0x00000000004DD000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20240729-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe
"C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe"
Network
Files
memory/1740-1-0x0000000000400000-0x00000000004DD000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-05 16:00
Reported
2024-11-05 16:02
Platform
win7-20240729-en
Max time kernel
150s
Max time network
20s
Command Line
Signatures
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mmc.exe /t
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mmc.exe /t