Technical Information
- '<SYSTEM32>\taskkill.exe' /f /im procexp.exe
- '<SYSTEM32>\taskkill.exe' /f /im Cheat Engine.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /f /im MugenJinFuu-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im cheatengine-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im KsDumper.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTP Debugger Windows Service (32 bit).exe
- '<SYSTEM32>\taskkill.exe' /f /im x64dbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im x32dbg.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im Ida64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg32.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos32.exe
- '<SYSTEM32>\taskkill.exe' /f /im de4dot.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos.exe
- '<SYSTEM32>\taskkill.exe' /f /im Xenos64.exe
- '<SYSTEM32>\taskkill.exe' /f /im FiddlerEverywhere.exe
- '<SYSTEM32>\taskkill.exe' /f /im mafiaengine-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im Mafia Engine.exe
- '<SYSTEM32>\taskkill.exe' /f /im mafiaengine-x86_64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Tutorial-i386.exe
- '<SYSTEM32>\taskkill.exe' /f /im Tutorial-x86_64.exe
- '<SYSTEM32>\taskkill.exe' /f /im mafiaengine-x86_64-SSE4-AVX2.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im OllyDbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im KsDumperClient.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\taskkill.exe' /f /im ProcessHacker.exe
- '<SYSTEM32>\taskkill.exe' /f /im idaq.exe
- '<SYSTEM32>\taskkill.exe' /f /im idaq64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Wireshark.exe
- '<SYSTEM32>\taskkill.exe' /f /im Fiddler.exe
- '<SYSTEM32>\taskkill.exe' /f /im procexp64.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- nul
- %LOCALAPPDATA%low\temp\tard7cf.tmp
- %LOCALAPPDATA%low\temp\cabd7ce.tmp
- %LOCALAPPDATA%low\temp\tard5d8.tmp
- %LOCALAPPDATA%low\temp\cabd5c8.tmp
- %LOCALAPPDATA%low\temp\tard549.tmp
- %LOCALAPPDATA%low\temp\cabd548.tmp
- %LOCALAPPDATA%low\temp\tard3d0.tmp
- %LOCALAPPDATA%low\temp\cabd3cf.tmp
- %LOCALAPPDATA%low\temp\tard340.tmp
- %LOCALAPPDATA%low\temp\cabd330.tmp
- %LOCALAPPDATA%low\temp\tard179.tmp
- %LOCALAPPDATA%low\temp\cabd178.tmp
- %LOCALAPPDATA%low\temp\cabdf11.tmp
- %LOCALAPPDATA%low\temp\tard0e9.tmp
- %LOCALAPPDATA%low\temp\tarcf22.tmp
- %LOCALAPPDATA%low\temp\cabcf21.tmp
- %LOCALAPPDATA%low\temp\tarce64.tmp
- %LOCALAPPDATA%low\temp\cabce63.tmp
- %LOCALAPPDATA%low\temp\tarcc2f.tmp
- %LOCALAPPDATA%low\temp\cabcc2e.tmp
- %LOCALAPPDATA%low\temp\tarcbde.tmp
- %LOCALAPPDATA%low\temp\cabcbdd.tmp
- %LOCALAPPDATA%low\temp\tarcb01.tmp
- %LOCALAPPDATA%low\temp\cabcb00.tmp
- %LOCALAPPDATA%low\temp\tarc8ad.tmp
- %LOCALAPPDATA%low\temp\cabc8ac.tmp
- %LOCALAPPDATA%low\temp\cabd0e8.tmp
- %LOCALAPPDATA%low\temp\tardf12.tmp
- %LOCALAPPDATA%low\temp\cabc8ac.tmp
- %LOCALAPPDATA%low\temp\tard7cf.tmp
- %LOCALAPPDATA%low\temp\cabd7ce.tmp
- %LOCALAPPDATA%low\temp\tard5d8.tmp
- %LOCALAPPDATA%low\temp\cabd5c8.tmp
- %LOCALAPPDATA%low\temp\tard549.tmp
- %LOCALAPPDATA%low\temp\cabd548.tmp
- %LOCALAPPDATA%low\temp\tard3d0.tmp
- %LOCALAPPDATA%low\temp\cabd3cf.tmp
- %LOCALAPPDATA%low\temp\tard340.tmp
- %LOCALAPPDATA%low\temp\cabd330.tmp
- %LOCALAPPDATA%low\temp\tard179.tmp
- %LOCALAPPDATA%low\temp\cabd178.tmp
- %LOCALAPPDATA%low\temp\tard0e9.tmp
- %LOCALAPPDATA%low\temp\cabd0e8.tmp
- %LOCALAPPDATA%low\temp\tarcf22.tmp
- %LOCALAPPDATA%low\temp\cabcf21.tmp
- %LOCALAPPDATA%low\temp\tarce64.tmp
- %LOCALAPPDATA%low\temp\cabce63.tmp
- %LOCALAPPDATA%low\temp\tarcc2f.tmp
- %LOCALAPPDATA%low\temp\cabcc2e.tmp
- %LOCALAPPDATA%low\temp\tarcbde.tmp
- %LOCALAPPDATA%low\temp\cabcbdd.tmp
- %LOCALAPPDATA%low\temp\tarcb01.tmp
- %LOCALAPPDATA%low\temp\cabcb00.tmp
- %LOCALAPPDATA%low\temp\tarc8ad.tmp
- %LOCALAPPDATA%low\temp\cabdf11.tmp
- %LOCALAPPDATA%low\temp\tardf12.tmp
- 'localhost':49187
- 'localhost':49189
- 'ke##uth.win':443
- 'ke##uth.win':80
- 'x1.#.lencr.org':80
- 'x2.#.lencr.org':80
- http://x1.#.lencr.org/
- http://x2.#.lencr.org/
- 'localhost':49187
- 'localhost':49189
- 'localhost':49190
- 'ke##uth.win':443
- DNS ASK ke##uth.win
- DNS ASK x1.#.lencr.org
- DNS ASK x2.#.lencr.org
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '' WindowName: ''
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Full path to file>" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos32.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im de4dot.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Cheat Engine.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Tutorial-x86_64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im OllyDbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im x64dbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im x32dbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Ida64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg32.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Xenos.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Fiddler.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Wireshark.exe >nul 2>&1
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im procexp.exe >nul 2>&1
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im procexp64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im mafiaengine-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Mafia Engine.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im mafiaengine-x86_64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Tutorial-i386.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumperClient.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im KsDumper.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im ProcessHacker.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im idaq64.exe >nul 2>&1
- '<SYSTEM32>\certutil.exe' -hashfile "<Full path to file>" MD5
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im mafiaengine-x86_64-SSE4-AVX2.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1