cerber | 045f15732d3999f475ae5e25b88011f86c059444a55817b0ce1a60beee4c347f

Resubmissions

18/10/2022, 09:52

221018-lv2qtafch9 10

18/10/2022, 09:48

221018-ls996sfch6 3

03/09/2022, 05:48

220903-ghmnxaacfj 10

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2022, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vanguard_Spoofer.exe
Size

697KB
MD5

ac247152e9e48cf792cbc986c39a77b7
SHA1

0174007199120da8d24125430720442373508c98
SHA256

045f15732d3999f475ae5e25b88011f86c059444a55817b0ce1a60beee4c347f
SHA512

e27a7ebc1c4e15dc55fba6c97a83d888d58fe4d4e711c7e77d446f0e0be5c82e57e2f3ef5d2a5bb9a13ec2d85aa295fee1e4dc1fe680c9ace91fb7043b89d56f
SSDEEP

12288:Mg5E6JOtYvjofCHjacgC9DHDw82japb1DOMvSastXAJU0u3KKRSozfg5WdC7O:MgdOtMooGcgC9D5sivvSLtXAJ83KKRSs

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 17 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		3820	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe
		1072	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe
		3448	taskkill.exe
		4036	taskkill.exe
		5000	taskkill.exe
		2836	taskkill.exe
		316	taskkill.exe
		2208	taskkill.exe
		5028	taskkill.exe
		2576	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
		4448	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
3956	MicrosoftLogs.exe
3704	user.exe
3612	At.exe
3108	ssu.exe
4040	DisableCtrlAltDel.exe
660	amidewin.exe
1484	amidewin.exe
4548	amidewin.exe
3328	amidewin64.exe
4684	amidewin64.exe
4992	amidewin64.exe
3356	Volumeid64.exe
1792	Volumeid64.exe
3372	Volumeid64.exe
3212	Volumeid64.exe
1296	(3)D.exe
3820	(4)E.exe
3256	(5)F.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	user.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	(3)D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	(4)E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	(5)F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Vanguard_Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	MicrosoftLogs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3016	1936	WerFault.exe	82

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1832	timeout.exe
3040	timeout.exe
2116	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
672	taskkill.exe
4944	taskkill.exe
1056	taskkill.exe
3488	taskkill.exe
3568	taskkill.exe
2436	taskkill.exe
4632	taskkill.exe
1320	taskkill.exe
4884	taskkill.exe
3184	taskkill.exe
3324	taskkill.exe
1072	taskkill.exe
828	taskkill.exe
412	taskkill.exe
3428	taskkill.exe
2528	taskkill.exe
4936	taskkill.exe
2352	taskkill.exe
1416	taskkill.exe
1008	taskkill.exe
2208	taskkill.exe
316	taskkill.exe
3608	taskkill.exe
636	taskkill.exe
4672	taskkill.exe
2256	taskkill.exe
3888	taskkill.exe
2864	taskkill.exe
2088	taskkill.exe
760	taskkill.exe
4600	taskkill.exe
3372	taskkill.exe
3512	taskkill.exe
780	taskkill.exe
2560	taskkill.exe
4324	taskkill.exe
3080	taskkill.exe
64	taskkill.exe
2944	taskkill.exe
1392	taskkill.exe
816	taskkill.exe
1568	taskkill.exe
2460	taskkill.exe
4476	taskkill.exe
4324	taskkill.exe
1668	taskkill.exe
1932	taskkill.exe
2192	taskkill.exe
4156	taskkill.exe
2412	taskkill.exe
1340	taskkill.exe
3320	taskkill.exe
4088	taskkill.exe
4160	taskkill.exe
540	taskkill.exe
2324	taskkill.exe
1960	taskkill.exe
4240	taskkill.exe
5088	taskkill.exe
3268	taskkill.exe
1400	taskkill.exe
3512	taskkill.exe
648	taskkill.exe
5044	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 1505525181	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration\ProductId = "00331-10000-00001-A16E3"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBNumber = "KB3170552"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration	reg.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInv = "{27720B92-DB39-0124-DB39-929824356DC3}"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInv	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4636	powershell.exe
4636	powershell.exe
4040	DisableCtrlAltDel.exe
4040	DisableCtrlAltDel.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	Vanguard_Spoofer.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	4040	DisableCtrlAltDel.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	4560	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	4172	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 540	1936	Vanguard_Spoofer.exe	92
PID 1936 wrote to memory of 540	1936	Vanguard_Spoofer.exe	92
PID 1936 wrote to memory of 540	1936	Vanguard_Spoofer.exe	92
PID 1936 wrote to memory of 3956	1936	Vanguard_Spoofer.exe	95
PID 1936 wrote to memory of 3956	1936	Vanguard_Spoofer.exe	95
PID 1936 wrote to memory of 3956	1936	Vanguard_Spoofer.exe	95
PID 3956 wrote to memory of 4700	3956	MicrosoftLogs.exe	96
PID 3956 wrote to memory of 4700	3956	MicrosoftLogs.exe	96
PID 4700 wrote to memory of 1668	4700	cmd.exe	99
PID 4700 wrote to memory of 1668	4700	cmd.exe	99
PID 4700 wrote to memory of 3704	4700	cmd.exe	100
PID 4700 wrote to memory of 3704	4700	cmd.exe	100
PID 4700 wrote to memory of 3704	4700	cmd.exe	100
PID 4700 wrote to memory of 3612	4700	cmd.exe	101
PID 4700 wrote to memory of 3612	4700	cmd.exe	101
PID 4700 wrote to memory of 2208	4700	cmd.exe	103
PID 4700 wrote to memory of 2208	4700	cmd.exe	103
PID 3612 wrote to memory of 4636	3612	At.exe	104
PID 3612 wrote to memory of 4636	3612	At.exe	104
PID 3704 wrote to memory of 4120	3704	user.exe	105
PID 3704 wrote to memory of 4120	3704	user.exe	105
PID 4120 wrote to memory of 1832	4120	cmd.exe	107
PID 4120 wrote to memory of 1832	4120	cmd.exe	107
PID 4636 wrote to memory of 3016	4636	powershell.exe	108
PID 4636 wrote to memory of 3016	4636	powershell.exe	108
PID 4700 wrote to memory of 2836	4700	cmd.exe	109
PID 4700 wrote to memory of 2836	4700	cmd.exe	109
PID 3016 wrote to memory of 4628	3016	csc.exe	110
PID 3016 wrote to memory of 4628	3016	csc.exe	110
PID 4700 wrote to memory of 4448	4700	cmd.exe	111
PID 4700 wrote to memory of 4448	4700	cmd.exe	111
PID 4700 wrote to memory of 2576	4700	cmd.exe	112
PID 4700 wrote to memory of 2576	4700	cmd.exe	112
PID 1936 wrote to memory of 3108	1936	Vanguard_Spoofer.exe	113
PID 1936 wrote to memory of 3108	1936	Vanguard_Spoofer.exe	113
PID 1936 wrote to memory of 3108	1936	Vanguard_Spoofer.exe	113
PID 4700 wrote to memory of 3448	4700	cmd.exe	115
PID 4700 wrote to memory of 3448	4700	cmd.exe	115
PID 4120 wrote to memory of 4040	4120	cmd.exe	116
PID 4120 wrote to memory of 4040	4120	cmd.exe	116
PID 3108 wrote to memory of 3408	3108	ssu.exe	117
PID 3108 wrote to memory of 3408	3108	ssu.exe	117
PID 4040 wrote to memory of 3812	4040	DisableCtrlAltDel.exe	118
PID 4040 wrote to memory of 3812	4040	DisableCtrlAltDel.exe	118
PID 3408 wrote to memory of 3040	3408	cmd.exe	119
PID 3408 wrote to memory of 3040	3408	cmd.exe	119
PID 4700 wrote to memory of 1072	4700	cmd.exe	120
PID 4700 wrote to memory of 1072	4700	cmd.exe	120
PID 4700 wrote to memory of 316	4700	cmd.exe	121
PID 4700 wrote to memory of 316	4700	cmd.exe	121
PID 4700 wrote to memory of 4036	4700	cmd.exe	122
PID 4700 wrote to memory of 4036	4700	cmd.exe	122
PID 4700 wrote to memory of 3820	4700	cmd.exe	123
PID 4700 wrote to memory of 3820	4700	cmd.exe	123
PID 4700 wrote to memory of 5000	4700	cmd.exe	124
PID 4700 wrote to memory of 5000	4700	cmd.exe	124
PID 4700 wrote to memory of 5028	4700	cmd.exe	125
PID 4700 wrote to memory of 5028	4700	cmd.exe	125
PID 3408 wrote to memory of 660	3408	cmd.exe	126
PID 3408 wrote to memory of 660	3408	cmd.exe	126
PID 3408 wrote to memory of 660	3408	cmd.exe	126
PID 4700 wrote to memory of 3584	4700	cmd.exe	127
PID 4700 wrote to memory of 3584	4700	cmd.exe	127
PID 3408 wrote to memory of 1484	3408	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\Vanguard_Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Vanguard_Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md C:\\antiOS
  2⤵
  PID:540
- C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe
  "C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6959.tmp\695A.tmp\695B.bat C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\system32\mode.com
      mode con:cols=80 lines=25
      4⤵
      PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\user.exe
      user.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6CB4.tmp\6CB5.tmp\6CB6.bat C:\Users\Admin\AppData\Local\Temp\user.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4120
      - C:\Windows\system32\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1832
      - C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe
        
        DisableCtrlAltDel.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        7⤵
        
        PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\At.exe
      At.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -executionpolicy bypass -WindowStyle hidden -file "Untitled1.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z00mutgv\z00mutgv.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES761A.tmp" "c:\Users\Admin\AppData\Local\Temp\z00mutgv\CSCE5AB3705204441EB25DD25DBCA57039.TMP"
        7⤵
        
        PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2208
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2836
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Cerber
      PID:4448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3820
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:5000
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:5028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3584
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2560
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3824
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3888
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3364
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3604
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:220
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4208
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4696
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4656
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4560
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4084
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4936
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2388
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3284
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4508
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4172
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4748
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3132
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4588
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1176
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:828
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3504
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:460
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:648
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2196
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3276
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2836
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4108
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1304
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2576
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:1992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:1524
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4912
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3460
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3904
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:2356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4036
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3040
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3344
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Kills process with taskkill
      PID:4324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:1916
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:2088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:2420
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:1968
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:1616
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4172
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:1468
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2120
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2412
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3360
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3432
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      Kills process with taskkill
      PID:3428
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:2256
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:2208
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Kills process with taskkill
      PID:2864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:5068
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:2116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2588
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:3640
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:1240
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3536
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3160
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4272
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4936
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:5028
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:4816
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:4032
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4684
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3548
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4748
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:3324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3828
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3824
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1756
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:4840
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      Kills process with taskkill
      PID:3608
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2168
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Kills process with taskkill
      PID:2192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4672
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4956
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:5096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:3720
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:396
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3508
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3408
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4560
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4288
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4088
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:5040
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4160
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4936
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:3268
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Kills process with taskkill
      PID:540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3008
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3256
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1616
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4380
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Kills process with taskkill
      PID:2528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:2412
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:3828
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3364
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3504
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:220
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:5088
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:1344
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:636
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4088
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:5040
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4160
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:4936
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3740
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Kills process with taskkill
      PID:1400
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4584
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:2088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4748
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:2412
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:672
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3200
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3924
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:2324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3504
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:1392
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      PID:4672
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3776
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4692
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:1752
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      Kills process with taskkill
      PID:760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:1320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1412
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2664
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Kills process with taskkill
      PID:4632
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:1720
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1476
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:924
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:4376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:3896
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:2920
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3548
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4580
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      PID:2412
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:2736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:776
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Kills process with taskkill
      PID:3512
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3364
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:2868
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4840
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4256
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3820
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3720
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:1304
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1072
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3700
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3040
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:1120
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4892
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:2068
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4816
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3668
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:1468
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:5108
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4684
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Kills process with taskkill
      PID:1568
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2576
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2120
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3884
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:808
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3132
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      Kills process with taskkill
      PID:1056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      Kills process with taskkill
      PID:2352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3364
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3608
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      Kills process with taskkill
      PID:648
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3016
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4672
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3776
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4664
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3544
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      PID:5044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:1932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:1312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3696
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4572
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3492
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:924
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3656
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4376
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3324
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3888
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:1508
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:2172
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      Kills process with taskkill
      PID:672
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3200
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3512
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:2192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4640
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:4888
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:944
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1040
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4928
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:876
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4912
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2664
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:816
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:1876
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Kills process with taskkill
      PID:1340
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:5040
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4364
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3176
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3148
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2784
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4584
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:5032
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Kills process with taskkill
      PID:3080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:2576
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Kills process with taskkill
      PID:3320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4880
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4988
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      PID:2256
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:1756
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3716
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4684
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4172
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:1220
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:716
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3364
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2868
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:4640
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2036
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:2328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:928
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:1320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Kills process with taskkill
      PID:1072
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:1480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:344
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3996
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4252
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:1868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:1752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4060
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:5096
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3344
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1120
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:5028
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:5004
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:1240
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4788
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4816
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2420
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2688
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:1400
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3132
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3552
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4880
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4988
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:2136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4548
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:2736
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:776
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3348
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4696
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:1668
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      PID:828
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2208
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Kills process with taskkill
      PID:2324
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3364
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:2868
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      Kills process with taskkill
      PID:3488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4640
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:2036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2328
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:928
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:1320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:1072
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:344
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3996
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:4252
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Kills process with taskkill
      PID:4088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:1752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:5096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3108
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4904
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3328
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3668
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:1416
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:808
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      Kills process with taskkill
      PID:2460
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:2396
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3740
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:2052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:1884
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3888
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1508
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:2172
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:1568
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:2560
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3604
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:2428
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      PID:1392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4256
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:2196
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Kills process with taskkill
      PID:1960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2080
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3160
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:1412
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:316
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2016
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Kills process with taskkill
      PID:64
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:1072
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:1436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Kills process with taskkill
      PID:4600
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:1008
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1700
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3340
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2476
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:1936
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:4152
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:5096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:4936
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:2336
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4072
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:1968
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2784
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4176
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2116
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2120
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3180
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3840
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Kills process with taskkill
      PID:412
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      Kills process with taskkill
      PID:3372
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4588
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:5020
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3824
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4508
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3468
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:2836
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:2760
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4972
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4748
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1324
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2328
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:928
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3908
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:2044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:616
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Kills process with taskkill
      PID:4240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3276
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:1464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4544
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1404
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      Kills process with taskkill
      PID:4476
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2316
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3040
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Kills process with taskkill
      PID:4160
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Kills process with taskkill
      PID:5088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1304
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:4884
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:3120
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:1912
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:780
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3628
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3056
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4816
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3232
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      Kills process with taskkill
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:5032
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:2528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:1672
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:1616
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:2540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:5056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3808
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:1708
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:3888
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1508
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2172
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3200
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Kills process with taskkill
      PID:3512
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4684
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4172
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1220
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:220
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:3280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4272
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4640
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:2260
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:1780
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:2948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3640
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:4912
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3560
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:2664
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3556
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2848
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4736
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:2780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:1972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2316
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:2476
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:1936
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:4424
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1832
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1236
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3344
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4456
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      PID:4324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:2672
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4932
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      Kills process with taskkill
      PID:780
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3628
- C:\ProgramData\SoftwareDistribution\ssu.exe
  "C:\ProgramData\SoftwareDistribution\ssu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7ADD.tmp\7ADE.tmp\7ADF.bat C:\ProgramData\SoftwareDistribution\ssu.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /SS 31206129384402
      4⤵
      Cerber
      Executes dropped EXE
      PID:660
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /BS 7092209824664
      4⤵
      Cerber
      Executes dropped EXE
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /SU auto
      4⤵
      Cerber
      Executes dropped EXE
      PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /SS 31216569022679
      4⤵
      Cerber
      Executes dropped EXE
      PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /BS 52491579314728
      4⤵
      Cerber
      Executes dropped EXE
      PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /SU auto
      4⤵
      Cerber
      Executes dropped EXE
      PID:4992
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SoftwareDistribution\OS.bat" "
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\host.txt
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\host.txt
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\mac.txt"|find /c /v ""
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\mac.txt""
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\mac.txt
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where caption='Admin' rename acinar
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d tidies /f
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d tidies /f
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d tidies /f
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d tidies /f
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d acinar /f
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331-10942-00001-A16E3 /f
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABF0124BA18B8878E89D0124000000000000396CC459BD0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DB396736 /f
    3⤵
    PID:672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d 89047BA10400000030003000330037DB39002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D00320036003500320030003100370000000000000000000000000000000000000000000000000000000000000000006200390032006500389047BA180030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F0066006500730073006DB39F006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C6189047BA1D0BEDFD25EDB3945B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration" /v ProductId /t REG_SZ /d 00331-10000-00001-A16E3 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3924
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v svcKBNumber /t REG_SZ /d KB3170552 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_DWORD /d 1505525181 /f
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration" /v "IE Installed Date" /t REG_BINARY /d 1505525181 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1220
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {89047BA1-DB39-0124-DB39-809824356DC3} /f
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {89047BA1-DB39-0124-DB39-6a9824356DC3} /f
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {89047BA1-DB39-0124-DB39-6a9824356DC3} /f
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings" /v GUID /t REG_SZ /d {89047BA1-DB39-0124-DB39-3e9824356DC3} /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\SecondaryLogonCKCLSettings" /v GUID /t REG_SZ /d {89047BA1-DB39-0124-DB39-3e9824356DC3} /f
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings" /v GUID /t REG_SZ /d {89047BA1-DB39-0124-DB39-3e9824356DC3} /f
    3⤵
    PID:596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {89047BA1-DB39-0124-DB39-809824356DC3} /f
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 89047BA1-DB39-0124-DB39-e79824356DC3 /f
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild /t REG_SZ /d 14213 /f
    3⤵
    PID:928
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber /t REG_SZ /d 14213 /f
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLab /t REG_SZ /d 14213.rs1_release.171161-2100 /f
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx /t REG_SZ /d 14213.1944.amd64fre.rs1_release.171161-2100 /f
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 89047BA1-DB39-0124-DB39-9824356DC3 /f
    3⤵
    PID:212
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ /d {A28BBADE-DB39-0124-DB39-009824356DC3} /f
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ /d {143E4E83-DB39-0124-DB39-009824356DC3} /f
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\EmailImage" /v GUID /t REG_SZ /d {C66DCEE1-DB39-0124-DB39-2F9824356DC3} /f
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\FaxImage" /v GUID /t REG_SZ /d {C00EB793-DB39-0124-DB39-009824356DC3} /f
    3⤵
    PID:316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\PrintImage" /v GUID /t REG_SZ /d {B441F425-DB39-0124-DB39-009824356DC3} /f
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\ScanButton" /v GUID /t REG_SZ /d {A6C5A715-DB39-0124-DB39-009824356DC3} /f
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\STIproxyEvent" /v GUID /t REG_SZ /d {d711f81f-DB39-0124-DB39-929824356DC3} /f
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ /d {27720B92-DB39-0124-DB39-929824356DC3} /f
    3⤵
    - Modifies registry class
    PID:4876
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:3820
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 89047BA1-DB39-0124-DB39-c99824356DC3 /f
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /t REG_BINARY /d A4000000000003030312D3836382D303039824356DC3D383535353700AA0000005831352D3333000000000000000C3AABF0124BA18B8878E89D0124000000000000396CC459BD0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DB396736 /f
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\net.exe
    net start wuauserv
    3⤵
    PID:3716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start wuauserv
      4⤵
      PID:4696
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe /accepteula
    3⤵
    - Executes dropped EXE
    PID:3356
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe
    3⤵
    - Executes dropped EXE
    PID:1792
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe /accepteula
    3⤵
    - Executes dropped EXE
    PID:3372
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe C: A930-16E3
    3⤵
    - Executes dropped EXE
    PID:3212
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v NetworkAddress /d 000B89377840 /f
    3⤵
    PID:1176
- C:\ProgramData\SoftwareDistribution\(3)D.exe
  "C:\ProgramData\SoftwareDistribution\(3)D.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1296
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1D.tmp\A1E.tmp\A1F.bat C:\ProgramData\SoftwareDistribution\(3)D.exe"
    3⤵
    PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:1176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:4908
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:3824
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:4548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:3244
- C:\ProgramData\SoftwareDistribution\(4)E.exe
  "C:\ProgramData\SoftwareDistribution\(4)E.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:3820
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\124B.tmp\125B.tmp\125C.bat C:\ProgramData\SoftwareDistribution\(4)E.exe"
    3⤵
    PID:736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:4912
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:3640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:1348
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:1072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:1412
- C:\ProgramData\SoftwareDistribution\(5)F.exe
  "C:\ProgramData\SoftwareDistribution\(5)F.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:3256
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1A3A.tmp\1A3B.tmp\1A3C.bat C:\ProgramData\SoftwareDistribution\(5)F.exe"
    3⤵
    PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:3196
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:2276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:2120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:3416
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:3180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:2688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1884
  2⤵
  - Program crash
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1936 -ip 1936
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistribution\(3)D.exe

Filesize
90KB

MD5
4298d529dec1c56798c51f9c89844fee

SHA1
7a16376dad62ac9901b7b411cb641259fcf5b737

SHA256
f3903193f027c7c28eddfa28be50faed737b4e679d5a27a27210ccf925be4b02

SHA512
7c6db1a0d2c752a4659a0a38b2476d872d6eeaedd53f946215b31c271b0d2bda1fe5016f0073907cf5079c1f45f2766ea2ee1e7a64b26b9179d85c8de1d4555e

Download Submit
C:\ProgramData\SoftwareDistribution\(3)D.exe

Filesize
90KB

MD5
4298d529dec1c56798c51f9c89844fee

SHA1
7a16376dad62ac9901b7b411cb641259fcf5b737

SHA256
f3903193f027c7c28eddfa28be50faed737b4e679d5a27a27210ccf925be4b02

SHA512
7c6db1a0d2c752a4659a0a38b2476d872d6eeaedd53f946215b31c271b0d2bda1fe5016f0073907cf5079c1f45f2766ea2ee1e7a64b26b9179d85c8de1d4555e

Download Submit
C:\ProgramData\SoftwareDistribution\(4)E.exe

Filesize
90KB

MD5
f0c15627354791c1296d8d86e6bb4622

SHA1
689745b509f2c7b2805954a361a2e1f71a36849c

SHA256
b16729792c3cac0f0d412309658d3605c417eb4f624567b0e37d3675d72ddf7a

SHA512
55d50a4f81d7f415b67b2e4899febb6677806b097613597b4780e1ccd7d46682753b877997312be61a4a49091219c407ee55d0acdaea85f58407f9b209ae864d

Download Submit
C:\ProgramData\SoftwareDistribution\(4)E.exe

Filesize
90KB

MD5
f0c15627354791c1296d8d86e6bb4622

SHA1
689745b509f2c7b2805954a361a2e1f71a36849c

SHA256
b16729792c3cac0f0d412309658d3605c417eb4f624567b0e37d3675d72ddf7a

SHA512
55d50a4f81d7f415b67b2e4899febb6677806b097613597b4780e1ccd7d46682753b877997312be61a4a49091219c407ee55d0acdaea85f58407f9b209ae864d

Download Submit
C:\ProgramData\SoftwareDistribution\(5)F.exe

Filesize
90KB

MD5
4c509f7b464f512b1075b2492a3f968f

SHA1
01166d44f3cadf6c169fc940185cc9d7526d102e

SHA256
45bb3164d993cfdaf0041ab9f859a35342303e01d5c26b821e32ed5c22412f68

SHA512
c36915116813005ffc23ecb6093f2fa6de76d5d9d4645c96244bcc17c6e3a8c9d41e0d73dbea5f1811f93b4bcdc06c70ff390acf41b6b736ad9e56ad003e5d34

Download Submit
C:\ProgramData\SoftwareDistribution\(5)F.exe

Filesize
90KB

MD5
4c509f7b464f512b1075b2492a3f968f

SHA1
01166d44f3cadf6c169fc940185cc9d7526d102e

SHA256
45bb3164d993cfdaf0041ab9f859a35342303e01d5c26b821e32ed5c22412f68

SHA512
c36915116813005ffc23ecb6093f2fa6de76d5d9d4645c96244bcc17c6e3a8c9d41e0d73dbea5f1811f93b4bcdc06c70ff390acf41b6b736ad9e56ad003e5d34

Download Submit
C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe

Filesize
157KB

MD5
b0abe5b0254f8d2619952e3d718bc9a1

SHA1
83d61524e810bac8050420acb4ce11a7ff14de9e

SHA256
2101634c64bb96f49d3a0ab1f606ab4e7fa3bbd745d5602ddac274111e5e00b6

SHA512
e730570af15e82b47bcdd52fe7475d24f493e4fd0820ccf33553d3d40e80a0926aa1794700ac139865bf10a62fe0c82444035085d165805834c3cf3cfc5c1c15

Download Submit
C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe

Filesize
157KB

MD5
b0abe5b0254f8d2619952e3d718bc9a1

SHA1
83d61524e810bac8050420acb4ce11a7ff14de9e

SHA256
2101634c64bb96f49d3a0ab1f606ab4e7fa3bbd745d5602ddac274111e5e00b6

SHA512
e730570af15e82b47bcdd52fe7475d24f493e4fd0820ccf33553d3d40e80a0926aa1794700ac139865bf10a62fe0c82444035085d165805834c3cf3cfc5c1c15

Download Submit
C:\ProgramData\SoftwareDistribution\OS.bat

Filesize
16KB

MD5
b862dc18754b2a3449af25a40df09ed8

SHA1
1f1a4d1cd156a0ea13a9ea9c7712150e6528b8e8

SHA256
5e600769f979154832b34b831e3322b0ba164af671e40110e2a71a9359d6c24c

SHA512
89768117a87124e93d42d22e18342b27496af7bf9d0f93b51b2609c14d098340c3767a9a0d59526d5a7358e2b07a8faae33df90ee2a7673717d02cfcd23dc2f7

Download Submit
C:\ProgramData\SoftwareDistribution\ssu.exe

Filesize
408KB

MD5
b300ceae379544d8ffbf6d2b6eeb1f6a

SHA1
0976ed9db45832f05e560b8dcca0782cd72e8b1d

SHA256
e1182deec71195e11fd4580f435dc461dd194a3ae9954dc441235c2f138377e1

SHA512
0012bf10e60411d6c5e71ab161e0deb0c505e029639eaa1919420558f465d01af34c68f2ae79b8b771b0d61b589eaf364978f0a42fd1139153e61658f7248d20

Download Submit
C:\ProgramData\SoftwareDistribution\ssu.exe

Filesize
408KB

MD5
b300ceae379544d8ffbf6d2b6eeb1f6a

SHA1
0976ed9db45832f05e560b8dcca0782cd72e8b1d

SHA256
e1182deec71195e11fd4580f435dc461dd194a3ae9954dc441235c2f138377e1

SHA512
0012bf10e60411d6c5e71ab161e0deb0c505e029639eaa1919420558f465d01af34c68f2ae79b8b771b0d61b589eaf364978f0a42fd1139153e61658f7248d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\124B.tmp\125B.tmp\125C.bat

Filesize
2KB

MD5
906a599e1ce4b10b1ff4e8b5f9cdf7ae

SHA1
0e285bd269bf7d24cb98bab8e91c5003762d754a

SHA256
68cc4c4aeb7dafc4e9ec9334384dfe3ffabe1b92ba973fece26fee21e6d89467

SHA512
e619539601b3726333d8dfafbef9d08e60976ca12a28b28361ed3ab6c52e078ef9a1c7b88942abf257e6b29d28cb651e29b87a27255c3ed0c43f295de39eb6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A3A.tmp\1A3B.tmp\1A3C.bat

Filesize
2KB

MD5
cc67ad8e27c483af2fb299236ddcb7c2

SHA1
b5303fbd0acc6c0aec1cd076cd75911489f665c3

SHA256
17a567915c13c10c1ed5eead97780db78f6e45329377e6ddcf0c0cdc113c65d9

SHA512
e0bca0facabe92ccc8c625e6a4926746bfc4f01de0358762cca24c52fd79ded7e8eb25ca9c074d9308cc3d504f27c12fd33de23ff0f5c53aedb7e9a47d44d69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6959.tmp\695A.tmp\695B.bat

Filesize
3KB

MD5
f19a220d54798c7ac2bd737ffcbef066

SHA1
b03a54f6ae29a35b7d2acc25d6f94a3eaed5725f

SHA256
0f0f01751bde3fe2524f5f3a061c05958b327c359fc8ce5643dd470e38a0c929

SHA512
e7ece5da56ee73a14fd1fb85b6536d87717afa7e37d6a43da5dcef0d1562a28f101a4350290b46c1a5fdb503e43ba95c40979cf8a188a428bc41cfd0bf1382d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CB4.tmp\6CB5.tmp\6CB6.bat

Filesize
226B

MD5
9a9b63363859ed86d14cfb709ec6e9b0

SHA1
026387ad72417fa9997e9e88c5c147f06a420fc6

SHA256
ac17d99ee2b03f27a89fb410ff4f9cfebc4d6674cbbc9d273738b5575988e7cf

SHA512
d56b4909d193934fe3a2b51dd65016615d70fc018cd0c9215a178e82045a7f315def4345db7343017b076aee6964fdb07604c45ca253b29f4149812b03831869

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ADD.tmp\7ADE.tmp\7ADF.bat

Filesize
405B

MD5
05de1dae5e34444a22abe9e587b8c2ed

SHA1
55407b2fb1132d68d75960255e1a87198eb7c86f

SHA256
f5b8428dee5107c5721d4a2ad1b4dfd040ec4381384d983bb2804ed3aa4643d8

SHA512
5cb1eddc5520491f403ecc6fcde4d9cd8ba8be49642b3d31ab047875e9a0702257039aa33423b4203b0a4ee8b13fda8fada7dd53e6d44d0323032e9a9197c20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D.tmp\A1E.tmp\A1F.bat

Filesize
2KB

MD5
87ad2f7056931e0f4a02b26088ba5d88

SHA1
5bf086adfffece774201b046fea373e1c598b57d

SHA256
f2142ea4b18e03798486a5ac097392cf7a33589b400412672469693521618dca

SHA512
dfa8573aea6ec133e3a06d75e680c34c3046b9e2a8bf447a18ed9007ced8c5a37a7ef280b9fe5f46a52e060ccdeb3d8ec1c7d59ac3f0ed97ec4b342c1d92a429

Download Submit
C:\Users\Admin\AppData\Local\Temp\At.exe

Filesize
6KB

MD5
7a83dfc93e79a3764b20b6f87e761267

SHA1
c8f79a0bf7a9e67f078a789dd95aa69f59a318ca

SHA256
47e2bc9bbe01cd162a998310be62a62e10471a88f7d6bf1cddb8ecf0db3a639a

SHA512
21e0e2974bd0c6febea0c9b402d4408e763fe7df2b7efff5233a9a12ad3b707a78904ef277abf686ce01782a06753dd3d7b626408d39d67ab326797d9e539b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\At.exe

Filesize
6KB

MD5
7a83dfc93e79a3764b20b6f87e761267

SHA1
c8f79a0bf7a9e67f078a789dd95aa69f59a318ca

SHA256
47e2bc9bbe01cd162a998310be62a62e10471a88f7d6bf1cddb8ecf0db3a639a

SHA512
21e0e2974bd0c6febea0c9b402d4408e763fe7df2b7efff5233a9a12ad3b707a78904ef277abf686ce01782a06753dd3d7b626408d39d67ab326797d9e539b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe

Filesize
56KB

MD5
fe768b97eaf316452558e7e60ddae3f7

SHA1
2863f81516e72950431c6e3a42c8d7d1f31f6a04

SHA256
55183466f502aac15d426933e123783bbf0250e9908760fcbb6dff1550d1f680

SHA512
a80eac189662756a09be09efa4303f2f230d51e37f6e38ff7198e18166b07ade9753dece4bbd2785a5a90ee5371353bce467671d30dc2bf16a5c13bcbaab2801

Download Submit
C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe

Filesize
56KB

MD5
fe768b97eaf316452558e7e60ddae3f7

SHA1
2863f81516e72950431c6e3a42c8d7d1f31f6a04

SHA256
55183466f502aac15d426933e123783bbf0250e9908760fcbb6dff1550d1f680

SHA512
a80eac189662756a09be09efa4303f2f230d51e37f6e38ff7198e18166b07ade9753dece4bbd2785a5a90ee5371353bce467671d30dc2bf16a5c13bcbaab2801

Download Submit
C:\Users\Admin\AppData\Local\Temp\Make-EXE0\Untitled1.ps1

Filesize
392B

MD5
08ffd0f10f8d3b4eb1b0ffc3acf09667

SHA1
6e457811de6ddc2bb7b7a2696ca1237bf0e697a8

SHA256
95ba5ee92132b05cfb029ff8f8c72614eebf7166f6fa432d762684908fdb778a

SHA512
95e17ee10844c70002a2f19b46cb35491f1a760372debd776e47217e806daa1fb0380705f510ab590431ce7eb1955e4b4f7c5cfb6aa315601062017aa63b616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES761A.tmp

Filesize
1KB

MD5
871df1a196d678524384360cc6185fa9

SHA1
e7980b43584684453b8e6a1a2fb9fc76e13a8e93

SHA256
4e23c554238bdd17c81b8d27af58285e21400d17b9512752ceeb5621bdfbc499

SHA512
9173895b17962c43101c8585118db3ec58bc46098b12a27d61748aea8ecda7645b8e5a2e1d55121e97da5ac3d84730c94b143f2acfd40215393b329ac27b11ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.exe

Filesize
103KB

MD5
8e22afbd3e12ac2be4d9ca11d7053565

SHA1
c42271e81d7180dac7b92751d3c5262669afe771

SHA256
0c49a3468816dde22763ac52d3c5d901054173442a7aa1455ac8beb339f92fd9

SHA512
227f5c4b2997b4bd3226afabc8a04f2ad00a47c2a3a810accaa2dae6647b12487b3142a09ad08ffc21082678d8fd8824974af08dcb9403bf3fa9835b318e09f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.exe

Filesize
103KB

MD5
8e22afbd3e12ac2be4d9ca11d7053565

SHA1
c42271e81d7180dac7b92751d3c5262669afe771

SHA256
0c49a3468816dde22763ac52d3c5d901054173442a7aa1455ac8beb339f92fd9

SHA512
227f5c4b2997b4bd3226afabc8a04f2ad00a47c2a3a810accaa2dae6647b12487b3142a09ad08ffc21082678d8fd8824974af08dcb9403bf3fa9835b318e09f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\z00mutgv\z00mutgv.dll

Filesize
3KB

MD5
bbb136b1c12fed5283af84cc4e6dcd9b

SHA1
666caaef63155800852c148518e62bbc72bb8475

SHA256
0c0fce79673e0882df60664717ebcfdd0ce52273307cb68b752c12ae2c7b9fe9

SHA512
994ebf69425dbb84fd28db2c59cb6ca2e48e969c8bb12c8fee440f880096ed601eb91ae113e08753f9a3198404cd842c5ccfdb27c11645d3d522a7a4fa6ef0e0

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\host.txt

Filesize
2KB

MD5
8c1e23bbedd7d0951217fc095fecbd48

SHA1
b7c0323f215dcfbc35f32a178ac4dc3527553b1a

SHA256
9ba787ee2824879e68501320fb59d4f7925afb0390a84dd0c32dda7740909b33

SHA512
4c05fd76e7c3bf580625cba6c49b5c8401dccd63d83afbae34bd01c81945aa82155c7b436f18286eb42542107160c3c9006f9535a7bcee67787dd30e16e68ace

Download Submit
C:\antiOS\mac.txt

Filesize
157KB

MD5
031ea2f82b7e23bff1d077fe8db1cfb5

SHA1
e5f99fa46093d23e871ffa3ac62644519453bcfa

SHA256
c87f35df9e5109c7be9cb970e101ca47e268daecfb967fe07281ac482183d297

SHA512
37e288d8cc50c3c8a76ec0d6d9f9cc4da6e7d4a32852ff83c5d73d93220fcaa049004a07358ac3238dacfaca1e3db49fb9f9ea2a9665d77951816ed8464890fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z00mutgv\CSCE5AB3705204441EB25DD25DBCA57039.TMP

Filesize
652B

MD5
e11aa58b93b898a6cebea54ea7643649

SHA1
06f8e9d18fbe03147aed0eb655f8aba2953d3fbf

SHA256
fa6ef92ba3e15dd47d9a0e3d5885be4786df9d10f9d7b215395cc36a8546f4a7

SHA512
98df67ba93087b46b0a71801c48a3f0adf4e46ed62ae9c45af85528c87c3cec926e3095cc721bcf4e5c793f3fb8256b4406d26fe12799c4e3716369d9e70c7a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z00mutgv\z00mutgv.0.cs

Filesize
213B

MD5
fd1b8966f1b6ac639be54d4098c56f20

SHA1
aacf8c0ffb03f74ae56ebd11609ea1a3331e498f

SHA256
5762d43712670d1d00b77bd0b94b0ddff2a384ecec27001ece93e6fd38622a52

SHA512
6f0b1222aa1a44c015354d3bd1cb98ecc5f8548f572097e6053910eb935d7182dafd16b7de8711985170f0830bd43a72d4875b9363e6eb515fba48b137bbf30f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z00mutgv\z00mutgv.cmdline

Filesize
369B

MD5
e345344e74739bb7e4ad8d99b47a740c

SHA1
ccfff9477269b767ae9f01b64755caec3cd2a0cb

SHA256
a6a52dc012710459c4c7b76c2ae2a9ebac703a8739e9665b98f0eead7cde81ce

SHA512
7a6375312d910d71e9f88a6ab557eeaf54f93dcd1a3135aa6f2fd8389b435c92e4baca0662f9afacab7cd663162653b5426f8d4180f70574f3080ca93259d3e0

Download Submit
memory/1936-132-0x00000000000A0000-0x0000000000154000-memory.dmp

Filesize
720KB

Download
memory/1936-134-0x0000000007B20000-0x0000000007BB2000-memory.dmp

Filesize
584KB

Download
memory/1936-135-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

Filesize
40KB

Download
memory/1936-133-0x0000000008010000-0x00000000085B4000-memory.dmp

Filesize
5.6MB

Download
memory/3612-153-0x00007FFFE0150000-0x00007FFFE0C11000-memory.dmp

Filesize
10.8MB

Download
memory/3612-150-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/4636-154-0x00007FFFE0150000-0x00007FFFE0C11000-memory.dmp

Filesize
10.8MB

Download
memory/4636-155-0x000001AE48540000-0x000001AE48562000-memory.dmp

Filesize
136KB

Download
memory/4636-232-0x00007FFFE0150000-0x00007FFFE0C11000-memory.dmp

Filesize
10.8MB

Download