cerber | 045f15732d3999f475ae5e25b88011f86c059444a55817b0ce1a60beee4c347f

Resubmissions

18-10-2022 09:52

221018-lv2qtafch9 10

18-10-2022 09:48

221018-ls996sfch6 3

03-09-2022 05:48

220903-ghmnxaacfj 10

Analysis

max time kernel
66s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2022 09:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Vanguard_Spoofer.exe
Size

697KB
MD5

ac247152e9e48cf792cbc986c39a77b7
SHA1

0174007199120da8d24125430720442373508c98
SHA256

045f15732d3999f475ae5e25b88011f86c059444a55817b0ce1a60beee4c347f
SHA512

e27a7ebc1c4e15dc55fba6c97a83d888d58fe4d4e711c7e77d446f0e0be5c82e57e2f3ef5d2a5bb9a13ec2d85aa295fee1e4dc1fe680c9ace91fb7043b89d56f
SSDEEP

12288:Mg5E6JOtYvjofCHjacgC9DHDw82japb1DOMvSastXAJU0u3KKRSozfg5WdC7O:MgdOtMooGcgC9D5sivvSLtXAJ83KKRSs

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 51 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		4656	taskkill.exe
		4916	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
		948	taskkill.exe
		4100	taskkill.exe
		3624	taskkill.exe
		2252	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe
		5084	taskkill.exe
		3532	taskkill.exe
		244	taskkill.exe
		3092	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe
		2732	taskkill.exe
		4516	taskkill.exe
		4784	taskkill.exe
		4284	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
		4228	taskkill.exe
		4396	taskkill.exe
		2520	taskkill.exe
		4948	taskkill.exe
		228	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe
		460	taskkill.exe
		2332	taskkill.exe
		1836	taskkill.exe
		4528	taskkill.exe
		4464	taskkill.exe
		2052	taskkill.exe
		4224	taskkill.exe
		5012	taskkill.exe
		2488	taskkill.exe
		4996	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
		3568	taskkill.exe
		892	taskkill.exe
		1968	taskkill.exe
		2332	taskkill.exe
		3372	taskkill.exe
		3664	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe
		4712	taskkill.exe
		3984	taskkill.exe
		1104	taskkill.exe
		3564	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		amidewin64.exe

Downloads MZ/PE file

Executes dropped EXE 40 IoCs

pid	Process
332	MicrosoftLogs.exe
4572	user.exe
3168	At.exe
4668	DisableCtrlAltDel.exe
2560	ssu.exe
4404	amidewin.exe
4228	amidewin.exe
2416	amidewin.exe
2368	amidewin64.exe
3048	amidewin64.exe
4072	amidewin64.exe
3208	Volumeid64.exe
4932	Volumeid64.exe
5000	Volumeid64.exe
3408	Volumeid64.exe
2544	(3)D.exe
4336	(4)E.exe
2640	(5)F.exe
3092	(7)TiskKill.exe
1968	Mac.exe
332	MicrosoftLogs.exe
4572	user.exe
3168	At.exe
4668	DisableCtrlAltDel.exe
2560	ssu.exe
4404	amidewin.exe
4228	amidewin.exe
2416	amidewin.exe
2368	amidewin64.exe
3048	amidewin64.exe
4072	amidewin64.exe
3208	Volumeid64.exe
4932	Volumeid64.exe
5000	Volumeid64.exe
3408	Volumeid64.exe
2544	Process not Found
4336	Process not Found
2640	Process not Found
3092	Process not Found
1968	Process not Found

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	(3)D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	(4)E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard_Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Vanguard_Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	(5)F.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	(7)TiskKill.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	MicrosoftLogs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	MicrosoftLogs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	user.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	user.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
2724	timeout.exe
3420	timeout.exe
1608	timeout.exe
2724	timeout.exe
3420	timeout.exe
1608	timeout.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
948	Process not Found
460	taskkill.exe
4448	taskkill.exe
2520	taskkill.exe
4564	taskkill.exe
244	taskkill.exe
1204	taskkill.exe
4156	taskkill.exe
1760	taskkill.exe
4876	taskkill.exe
4468	taskkill.exe
3148	Process not Found
2284	Process not Found
3980	taskkill.exe
5076	taskkill.exe
4948	taskkill.exe
3048	Process not Found
1528	taskkill.exe
3136	taskkill.exe
2732	taskkill.exe
3020	taskkill.exe
4596	taskkill.exe
756	taskkill.exe
1492	Process not Found
1336	taskkill.exe
1736	taskkill.exe
2784	taskkill.exe
3092	taskkill.exe
3568	taskkill.exe
4196	taskkill.exe
3620	taskkill.exe
1232	Process not Found
4812	Process not Found
4500	Process not Found
4656	taskkill.exe
244	taskkill.exe
228	taskkill.exe
472	taskkill.exe
3264	taskkill.exe
1204	taskkill.exe
4596	Process not Found
4224	Process not Found
4536	taskkill.exe
2416	taskkill.exe
1668	taskkill.exe
3144	Process not Found
1156	taskkill.exe
1052	taskkill.exe
4768	taskkill.exe
3912	taskkill.exe
892	taskkill.exe
244	taskkill.exe
4208	taskkill.exe
5112	taskkill.exe
4028	taskkill.exe
4156	taskkill.exe
2264	taskkill.exe
3892	taskkill.exe
1952	Process not Found
1264	taskkill.exe
2252	taskkill.exe
3860	taskkill.exe
216	Process not Found
2544	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBNumber = "KB3170158"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 1501586673	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration\ProductId = "00331-10000-00001-A69B1"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\svcKBNumber = "KB3170158"	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = 1501586673	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Registration\ProductId = "00331-10000-00001-A69B1"	reg.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{27720B92-07D7-ED5B-07D7-9264475647AD}"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{27720B92-07D7-ED5B-07D7-9264475647AD}"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3800	Process not Found
3372	Process not Found
3800	reg.exe
3372	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1764	powershell.exe
1764	powershell.exe
4668	DisableCtrlAltDel.exe
4668	DisableCtrlAltDel.exe
1764	powershell.exe
1764	powershell.exe
4668	DisableCtrlAltDel.exe
4668	DisableCtrlAltDel.exe

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	Vanguard_Spoofer.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	3664	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	4668	DisableCtrlAltDel.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	244	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1232	3976	Vanguard_Spoofer.exe	90
PID 3976 wrote to memory of 1232	3976	Vanguard_Spoofer.exe	90
PID 3976 wrote to memory of 1232	3976	Vanguard_Spoofer.exe	90
PID 3976 wrote to memory of 332	3976	Vanguard_Spoofer.exe	92
PID 3976 wrote to memory of 332	3976	Vanguard_Spoofer.exe	92
PID 3976 wrote to memory of 332	3976	Vanguard_Spoofer.exe	92
PID 332 wrote to memory of 2888	332	MicrosoftLogs.exe	93
PID 332 wrote to memory of 2888	332	MicrosoftLogs.exe	93
PID 2888 wrote to memory of 3692	2888	cmd.exe	96
PID 2888 wrote to memory of 3692	2888	cmd.exe	96
PID 2888 wrote to memory of 4572	2888	cmd.exe	97
PID 2888 wrote to memory of 4572	2888	cmd.exe	97
PID 2888 wrote to memory of 4572	2888	cmd.exe	97
PID 2888 wrote to memory of 3168	2888	cmd.exe	98
PID 2888 wrote to memory of 3168	2888	cmd.exe	98
PID 2888 wrote to memory of 4916	2888	cmd.exe	100
PID 2888 wrote to memory of 4916	2888	cmd.exe	100
PID 3168 wrote to memory of 1764	3168	At.exe	101
PID 3168 wrote to memory of 1764	3168	At.exe	101
PID 4572 wrote to memory of 3748	4572	user.exe	102
PID 4572 wrote to memory of 3748	4572	user.exe	102
PID 1764 wrote to memory of 3744	1764	powershell.exe	104
PID 1764 wrote to memory of 3744	1764	powershell.exe	104
PID 3748 wrote to memory of 1608	3748	cmd.exe	105
PID 3748 wrote to memory of 1608	3748	cmd.exe	105
PID 2888 wrote to memory of 460	2888	cmd.exe	106
PID 2888 wrote to memory of 460	2888	cmd.exe	106
PID 2888 wrote to memory of 2332	2888	cmd.exe	108
PID 2888 wrote to memory of 2332	2888	cmd.exe	108
PID 3744 wrote to memory of 4404	3744	csc.exe	107
PID 3744 wrote to memory of 4404	3744	csc.exe	107
PID 2888 wrote to memory of 4228	2888	cmd.exe	109
PID 2888 wrote to memory of 4228	2888	cmd.exe	109
PID 2888 wrote to memory of 4464	2888	cmd.exe	110
PID 2888 wrote to memory of 4464	2888	cmd.exe	110
PID 2888 wrote to memory of 3568	2888	cmd.exe	111
PID 2888 wrote to memory of 3568	2888	cmd.exe	111
PID 2888 wrote to memory of 3664	2888	cmd.exe	112
PID 2888 wrote to memory of 3664	2888	cmd.exe	112
PID 2888 wrote to memory of 2252	2888	cmd.exe	113
PID 2888 wrote to memory of 2252	2888	cmd.exe	113
PID 2888 wrote to memory of 892	2888	cmd.exe	114
PID 2888 wrote to memory of 892	2888	cmd.exe	114
PID 2888 wrote to memory of 2520	2888	cmd.exe	116
PID 2888 wrote to memory of 2520	2888	cmd.exe	116
PID 3748 wrote to memory of 4668	3748	cmd.exe	115
PID 3748 wrote to memory of 4668	3748	cmd.exe	115
PID 4668 wrote to memory of 3952	4668	DisableCtrlAltDel.exe	117
PID 4668 wrote to memory of 3952	4668	DisableCtrlAltDel.exe	117
PID 2888 wrote to memory of 5012	2888	cmd.exe	118
PID 2888 wrote to memory of 5012	2888	cmd.exe	118
PID 3976 wrote to memory of 2560	3976	Vanguard_Spoofer.exe	119
PID 3976 wrote to memory of 2560	3976	Vanguard_Spoofer.exe	119
PID 3976 wrote to memory of 2560	3976	Vanguard_Spoofer.exe	119
PID 2888 wrote to memory of 4516	2888	cmd.exe	121
PID 2888 wrote to memory of 4516	2888	cmd.exe	121
PID 2560 wrote to memory of 3880	2560	ssu.exe	122
PID 2560 wrote to memory of 3880	2560	ssu.exe	122
PID 2888 wrote to memory of 1968	2888	cmd.exe	123
PID 2888 wrote to memory of 1968	2888	cmd.exe	123
PID 3880 wrote to memory of 2724	3880	cmd.exe	124
PID 3880 wrote to memory of 2724	3880	cmd.exe	124
PID 2888 wrote to memory of 4656	2888	cmd.exe	125
PID 2888 wrote to memory of 4656	2888	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\Vanguard_Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Vanguard_Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md C:\\antiOS
  2⤵
  PID:1232
- C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe
  "C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0E6.tmp\B0E7.tmp\B0E8.bat C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\system32\mode.com
      mode con:cols=80 lines=25
      4⤵
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\user.exe
      user.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2CA.tmp\B2CB.tmp\B2CC.bat C:\Users\Admin\AppData\Local\Temp\user.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\system32\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe
        
        DisableCtrlAltDel.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        7⤵
        
        PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\At.exe
      At.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -executionpolicy bypass -WindowStyle hidden -file "Untitled1.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB877.tmp" "c:\Users\Admin\AppData\Local\Temp\blq4bb52\CSC779FD3DABD954018B223CFE3B9A5499C.TMP"
        7⤵
        
        PID:4404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4916
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:460
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Cerber
      PID:2332
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3664
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:5012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4784
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3984
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:1104
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4996
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4284
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3372
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Cerber
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:5084
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4396
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4224
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2332
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4288
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2852
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4744
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1204
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4768
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:780
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5064
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3140
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3020
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1492
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:2284
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3772
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:2584
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4876
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4208
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4812
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3620
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3048
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:3960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:1968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      PID:4656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:1348
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4784
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:1264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4400
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:1340
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:1276
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:2204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:1484
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      Kills process with taskkill
      PID:4028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3676
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3288
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3296
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3308
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3372
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:3992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3268
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4168
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3776
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2028
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:916
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      Kills process with taskkill
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1140
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:4724
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      Kills process with taskkill
      PID:3912
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      Kills process with taskkill
      PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:1884
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2316
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:1068
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4976
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3900
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Kills process with taskkill
      PID:1156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1296
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:3440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3988
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3804
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4456
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3288
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:692
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4900
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3176
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3456
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3408
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      Kills process with taskkill
      PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4124
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Kills process with taskkill
      PID:1052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1408
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3048
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:3960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:452
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:384
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3764
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:216
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:2732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:2804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3700
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:5076
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:5072
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:2352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:5084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:1032
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      Kills process with taskkill
      PID:2544
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4756
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2740
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:216
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      Kills process with taskkill
      PID:228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3988
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3300
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:956
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3260
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      Kills process with taskkill
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:2004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4472
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:4128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4140
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2332
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:3136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4556
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:2248
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:1668
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:1608
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2368
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2268
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2500
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3524
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2204
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:1156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:1216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2808
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:956
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:5100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1184
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:680
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:2004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3172
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4396
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4468
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3276
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4812
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      Kills process with taskkill
      PID:472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:916
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      Kills process with taskkill
      PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:5012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4744
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:1980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1428
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4756
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:744
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:2092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1544
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4648
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:780
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2732
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2840
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3796
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:1540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:824
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:2584
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:2784
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4212
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1836
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:460
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:4224
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1388
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4812
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:472
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:916
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4500
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:2264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3880
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2128
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:2740
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:236
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3428
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      Kills process with taskkill
      PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3176
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3148
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4896
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3412
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:2424
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      PID:1204
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4116
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4128
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4876
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:652
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:2028
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:1052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1224
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:1140
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:4516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3944
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3048
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:2112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4888
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1848
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      PID:756
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      PID:4196
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:5100
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:1048
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:5072
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3992
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2284
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2432
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2784
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:2424
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:1952
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3268
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2200
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3476
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4396
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:1388
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      Kills process with taskkill
      PID:3980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4812
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:472
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:916
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:3904
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1340
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3144
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2372
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:1484
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1740
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:32
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:236
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4648
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3988
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:1736
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4916
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Kills process with taskkill
      PID:5076
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2284
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:2432
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      Kills process with taskkill
      PID:2784
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2424
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:1952
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3268
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2200
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3476
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4116
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4224
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4812
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:916
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3904
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:1340
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3144
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:2852
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1276
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:1816
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:1972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:2092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2836
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4456
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3304
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:2732
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:1844
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:1848
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:1216
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3028
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:1492
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3796
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3472
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3424
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4896
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4640
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:1836
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4620
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:940
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:652
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      Kills process with taskkill
      PID:4536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Kills process with taskkill
      PID:2252
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:5032
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:1668
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1608
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3960
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4756
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2808
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3804
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:4284
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:1496
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4956
- C:\ProgramData\SoftwareDistribution\ssu.exe
  "C:\ProgramData\SoftwareDistribution\ssu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C180.tmp\C181.tmp\C182.bat C:\ProgramData\SoftwareDistribution\ssu.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /SS 286581428326719
      4⤵
      Cerber
      Executes dropped EXE
      PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /BS 25512666311743
      4⤵
      Cerber
      Executes dropped EXE
      PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /SU auto
      4⤵
      Cerber
      Executes dropped EXE
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /SS 82430612216
      4⤵
      Cerber
      Executes dropped EXE
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /BS 2714475509624
      4⤵
      Cerber
      Executes dropped EXE
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /SU auto
      4⤵
      Cerber
      Executes dropped EXE
      PID:4072
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SoftwareDistribution\OS.bat" "
  2⤵
  PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\host.txt
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\host.txt
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\mac.txt"|find /c /v ""
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\mac.txt""
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\mac.txt
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where caption='Admin' rename scats
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d aarhus /f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d aarhus /f
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d aarhus /f
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d aarhus /f
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d scats /f
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331-16635-00001-A69B1 /f
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABFED5BBA18B8878E89DED5B000000000000396CC459BD030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007D76736 /f
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d 74E85ADB040000003000300033003707D7002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D00320036003500320030003100370000000000000000000000000000000000000000000000000000000000000000006200390032006500374E85ADB80030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F006600650073007300607D7F006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C6174E85ADBD0BEDFD25E07D745B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration" /v ProductId /t REG_SZ /d 00331-10000-00001-A69B1 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v svcKBNumber /t REG_SZ /d KB3170158 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4536
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_DWORD /d 1501586673 /f
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration" /v "IE Installed Date" /t REG_BINARY /d 1501586673 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-8064475647AD} /f
    3⤵
    PID:960
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-6a64475647AD} /f
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-6a64475647AD} /f
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings" /v GUID /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-3e64475647AD} /f
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\SecondaryLogonCKCLSettings" /v GUID /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-3e64475647AD} /f
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings" /v GUID /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-3e64475647AD} /f
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-8064475647AD} /f
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 74E85ADB-07D7-ED5B-07D7-e764475647AD /f
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild /t REG_SZ /d 14192 /f
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber /t REG_SZ /d 14192 /f
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLab /t REG_SZ /d 14192.rs1_release.171184-2100 /f
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx /t REG_SZ /d 14192.1944.amd64fre.rs1_release.171184-2100 /f
    3⤵
    PID:384
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 74E85ADB-07D7-ED5B-07D7-64475647AD /f
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ /d {A28BBADE-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ /d {143E4E83-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\EmailImage" /v GUID /t REG_SZ /d {C66DCEE1-07D7-ED5B-07D7-2F64475647AD} /f
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\FaxImage" /v GUID /t REG_SZ /d {C00EB793-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\PrintImage" /v GUID /t REG_SZ /d {B441F425-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\ScanButton" /v GUID /t REG_SZ /d {A6C5A715-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\STIproxyEvent" /v GUID /t REG_SZ /d {d711f81f-07D7-ED5B-07D7-9264475647AD} /f
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ /d {27720B92-07D7-ED5B-07D7-9264475647AD} /f
    3⤵
    - Modifies registry class
    PID:744
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:3144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 74E85ADB-07D7-ED5B-07D7-c964475647AD /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /t REG_BINARY /d A4000000000003030312D3836382D3030364475647ADD383535353700AA0000005831352D3333000000000000000C3AABFED5BBA18B8878E89DED5B000000000000396CC459BD030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007D76736 /f
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\net.exe
    net start wuauserv
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start wuauserv
      4⤵
      PID:4328
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe /accepteula
    3⤵
    - Executes dropped EXE
    PID:3208
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe
    3⤵
    - Executes dropped EXE
    PID:4932
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe /accepteula
    3⤵
    - Executes dropped EXE
    PID:5000
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe C: C290-69B1
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v NetworkAddress /d 000D10837448 /f
    3⤵
    PID:4168
- C:\ProgramData\SoftwareDistribution\(3)D.exe
  "C:\ProgramData\SoftwareDistribution\(3)D.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:2544
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2EC1.tmp\2EC2.tmp\2EC3.bat C:\ProgramData\SoftwareDistribution\(3)D.exe"
    3⤵
    PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:3216
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:4744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:3944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:4976
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:2316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:4768
- C:\ProgramData\SoftwareDistribution\(4)E.exe
  "C:\ProgramData\SoftwareDistribution\(4)E.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4336
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\36DF.tmp\36E0.tmp\36E1.bat C:\ProgramData\SoftwareDistribution\(4)E.exe"
    3⤵
    PID:4712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:4740
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:3044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:1364
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:2724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:3164
- C:\ProgramData\SoftwareDistribution\(5)F.exe
  "C:\ProgramData\SoftwareDistribution\(5)F.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:2640
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3ECE.tmp\3ECF.tmp\3ED0.bat C:\ProgramData\SoftwareDistribution\(5)F.exe"
    3⤵
    PID:3424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:1856
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:4996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:2836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
      4⤵
      PID:3516
    - - C:\Windows\system32\find.exe
        
        find /c /v ""
        5⤵
        
        PID:4916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
        5⤵
        
        PID:3304
- C:\ProgramData\SoftwareDistribution\(7)TiskKill.exe
  "C:\ProgramData\SoftwareDistribution\(7)TiskKill.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:3092
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4F0A.tmp\4F0B.tmp\4F0C.bat C:\ProgramData\SoftwareDistribution\(7)TiskKill.exe"
    3⤵
    PID:448
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Restrictions /F
      4⤵
      Modifies registry key
      PID:3800
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Restrictions /v HideMachine /t REG_DWORD /d 1 /F
      4⤵
      Modifies registry key
      PID:3372
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM WmiPrvSE.exe
      4⤵
      PID:4980
- C:\antiOS\Mac.exe
  "C:\antiOS\Mac.exe"
  2⤵
  - Executes dropped EXE
  PID:1968
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5F95.tmp\5F96.tmp\5F97.bat C:\antiOS\Mac.exe"
    3⤵
    PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
      4⤵
      PID:4472
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        5⤵
        
        PID:3560
    - - C:\Windows\system32\findstr.exe
        
        findstr [0-9]
        5⤵
        
        PID:3164
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
      4⤵
      PID:1800
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
      4⤵
      PID:3620
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
      4⤵
      PID:4404
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d F20676E92FC4 /f
      4⤵
      PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
      4⤵
      PID:3904
    - - C:\Windows\system32\findstr.exe
        
        findstr [0-9]
        5⤵
        
        PID:1220
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        5⤵
        
        PID:4088
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
      4⤵
      PID:2316
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
      4⤵
      PID:4056
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
      4⤵
      PID:4288
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
      4⤵
      PID:744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
      4⤵
      PID:1972
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
        5⤵
        
        PID:2092
  - - C:\Windows\system32\netsh.exe
      netsh interface set interface name="Ethernet" disable
      4⤵
      PID:3892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\Vanguard_Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Vanguard_Spoofer.exe"
1⤵
- Checks computer location settings
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md C:\\antiOS
  2⤵
  PID:1232
- C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe
  "C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:332
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B0E6.tmp\B0E7.tmp\B0E8.bat C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe"
    3⤵
    PID:2888
  - - C:\Windows\system32\mode.com
      mode con:cols=80 lines=25
      4⤵
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\user.exe
      user.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:4572
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2CA.tmp\B2CB.tmp\B2CC.bat C:\Users\Admin\AppData\Local\Temp\user.exe"
        5⤵
        
        PID:3748
      - C:\Windows\system32\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe
        
        DisableCtrlAltDel.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        7⤵
        
        PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\At.exe
      At.exe
      4⤵
      Executes dropped EXE
      PID:3168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -executionpolicy bypass -WindowStyle hidden -file "Untitled1.ps1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.cmdline"
        6⤵
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB877.tmp" "c:\Users\Admin\AppData\Local\Temp\blq4bb52\CSC779FD3DABD954018B223CFE3B9A5499C.TMP"
        7⤵
        
        PID:4404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      PID:4916
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:460
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2332
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3664
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2252
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      Kills process with taskkill
      PID:892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:5012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4516
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:1968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:4656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:1836
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3532
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4784
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3984
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1104
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Kills process with taskkill
      PID:244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      Kills process with taskkill
      PID:3092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4996
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:2732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4284
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3372
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:5084
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4396
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4224
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:2332
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2248
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2252
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4288
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2852
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4744
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:1952
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Kills process with taskkill
      PID:1204
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4768
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:780
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:5064
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      PID:1760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3140
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3312
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3020
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1492
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:2284
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3772
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:2584
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:4876
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4192
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      Kills process with taskkill
      PID:4208
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4812
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      Kills process with taskkill
      PID:3620
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3048
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:3960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:1968
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:1348
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4784
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:1264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4400
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:1340
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:1276
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:2204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:1484
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4028
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3676
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3288
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3296
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3308
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3372
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      Kills process with taskkill
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:3992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3268
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4168
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3776
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2028
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:916
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:1140
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:4724
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3912
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:4596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:1884
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2316
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:1068
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4976
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3900
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:1156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1296
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:3440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3988
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3804
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4456
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:3288
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:3516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:692
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:4900
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3176
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:3792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2052
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3456
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:4712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3408
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:4216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:2660
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4124
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:1052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:1408
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      Kills process with taskkill
      PID:2416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      Kills process with taskkill
      PID:3860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3048
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:3960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:452
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:384
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3764
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:2488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:216
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      Kills process with taskkill
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:2732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:2804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3568
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3700
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:5076
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:5072
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:2352
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:5084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:1032
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:1052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2544
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:4756
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:2740
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      PID:4948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:216
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3988
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:3300
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:3356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:956
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:3260
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:2692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:2004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:3624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3044
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:4472
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:2624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:4128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:4140
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:4188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:2332
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:3136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:4556
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:2248
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      PID:1668
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:1608
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2368
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2268
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:2500
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:3524
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:2264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2204
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:1156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:1216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      Kills process with taskkill
      PID:4564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2808
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im SpyMeTools.exe
      4⤵
      PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im devenv.exe
      4⤵
      PID:4308
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos64.exe
      4⤵
      PID:3300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Xenos
      4⤵
      PID:3356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Fiddler.exe
      4⤵
      PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Wireshark.exe
      4⤵
      PID:956
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im idaq.exe
      4⤵
      PID:5100
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im procmon.exe
      4⤵
      PID:1184
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im ProcessHacker.exe
      4⤵
      PID:680
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerSvc.exe
      4⤵
      PID:2004
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im HTTPDebuggerUI.exe
      4⤵
      PID:3452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im KsDumperClient.exe
      4⤵
      PID:3172
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im iexplore.exe
      4⤵
      PID:4396
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:2624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      PID:4468
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      PID:3276
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefox.exe
      4⤵
      PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im opera.exe
      4⤵
      PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:4812
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msedge.exe
      4⤵
      PID:472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Discord.exe
      4⤵
      PID:916
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im WinRAR.exe
      4⤵
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im Chromedriver.exe
      4⤵
      PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im w4f23.exe
      4⤵
      PID:3860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im TheFolderSpy.exe
      4⤵
      PID:5012
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im DirectoryMonitor.exe
      4⤵
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderMonitor.exe
      4⤵
      PID:3188
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im "Phrozen Win File Monitor.exe"
      4⤵
      PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /im FolderChangesView.exe
      4⤵
      PID:4744
- C:\ProgramData\SoftwareDistribution\ssu.exe
  "C:\ProgramData\SoftwareDistribution\ssu.exe"
  2⤵
  - Executes dropped EXE
  PID:2560
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C180.tmp\C181.tmp\C182.bat C:\ProgramData\SoftwareDistribution\ssu.exe"
    3⤵
    PID:3880
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /SS 286581428326719
      4⤵
      Cerber
      Executes dropped EXE
      PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /BS 25512666311743
      4⤵
      Cerber
      Executes dropped EXE
      PID:4228
  - - C:\Users\Admin\AppData\Local\Temp\amidewin.exe
      amidewin.exe /SU auto
      4⤵
      Cerber
      Executes dropped EXE
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /SS 82430612216
      4⤵
      Cerber
      Executes dropped EXE
      PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /BS 2714475509624
      4⤵
      Cerber
      Executes dropped EXE
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\amidewin64.exe
      amidewin64.exe /SU auto
      4⤵
      Cerber
      Executes dropped EXE
      PID:4072
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\SoftwareDistribution\OS.bat" "
  2⤵
  PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\host.txt"|find /c /v ""
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\host.txt""
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\host.txt
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\host.txt
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c type "C:\antiOS\mac.txt"|find /c /v ""
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type "C:\antiOS\mac.txt""
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\find.exe
      find /c /v ""
      4⤵
      PID:244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c TYPE C:\antiOS\mac.txt
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where caption='Admin' rename scats
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "NV Hostname" /t REG_SZ /d aarhus /f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v Hostname /t REG_SZ /d aarhus /f
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v ComputerName /t REG_SZ /d aarhus /f
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v ComputerName /t REG_SZ /d aarhus /f
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v RegisteredOwner /t REG_SZ /d scats /f
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d 00331-16635-00001-A69B1 /f
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId /t REG_BINARY /d A4000000000003030312D3836382D303030303030372D383535353700AA0000005831352D3333000000000000000C3AABFED5BBA18B8878E89DED5B000000000000396CC459BD030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007D76736 /f
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v DigitalProductId4 /t REG_BINARY /d 74E85ADB040000003000300033003707D7002D00300030003100370030002D003800360038002D003000300030003000300030002D00300033002D0031003000330033002D0037003600300031002E0030003000300030002D00320036003500320030003100370000000000000000000000000000000000000000000000000000000000000000006200390032006500374E85ADB80030002D0062003900035002D0034003800320031002D0039006300390034002D0031003400300066003600330032006600360033003100320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050006F006600650073007300607D7F006E0061006C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C3AABFA65BBA18B889D24ED80000C6174E85ADBD0BEDFD25E07D745B89FFF45564B84E87CB968EC7F4D18F6E5066261A0B704B9D2739558B7E97DF882AB087AB0D8A314BA9BB1E06029EA28D5800310035002D0033003900310037003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C0075006D006A00470056004C004B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056006F006C007D0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 /f
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Registration" /v ProductId /t REG_SZ /d 00331-10000-00001-A69B1 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer" /v svcKBNumber /t REG_SZ /d KB3170158 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4536
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v InstallDate /t REG_DWORD /d 1501586673 /f
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration" /v "IE Installed Date" /t REG_BINARY /d 1501586673 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-8064475647AD} /f
    3⤵
    PID:960
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-6a64475647AD} /f
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-6a64475647AD} /f
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings" /v GUID /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-3e64475647AD} /f
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\SecondaryLogonCKCLSettings" /v GUID /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-3e64475647AD} /f
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings" /v GUID /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-3e64475647AD} /f
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d {74E85ADB-07D7-ED5B-07D7-8064475647AD} /f
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d 74E85ADB-07D7-ED5B-07D7-e764475647AD /f
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild /t REG_SZ /d 14192 /f
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber /t REG_SZ /d 14192 /f
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLab /t REG_SZ /d 14192.rs1_release.171184-2100 /f
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx /t REG_SZ /d 14192.1944.amd64fre.rs1_release.171184-2100 /f
    3⤵
    PID:384
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d 74E85ADB-07D7-ED5B-07D7-64475647AD /f
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Connected" /v GUID /t REG_SZ /d {A28BBADE-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\Disconnected" /v GUID /t REG_SZ /d {143E4E83-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\EmailImage" /v GUID /t REG_SZ /d {C66DCEE1-07D7-ED5B-07D7-2F64475647AD} /f
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\FaxImage" /v GUID /t REG_SZ /d {C00EB793-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\PrintImage" /v GUID /t REG_SZ /d {B441F425-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\ScanButton" /v GUID /t REG_SZ /d {A6C5A715-07D7-ED5B-07D7-0064475647AD} /f
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\StillImage\Events\STIproxyEvent" /v GUID /t REG_SZ /d {d711f81f-07D7-ED5B-07D7-9264475647AD} /f
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionInventoryVersionGUID_DONOTUSEINSTORE" /v value /t REG_SZ /d {27720B92-07D7-ED5B-07D7-9264475647AD} /f
    3⤵
    - Modifies registry class
    PID:744
- - C:\Windows\SysWOW64\net.exe
    net stop wuauserv
    3⤵
    PID:3144
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wuauserv
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d 74E85ADB-07D7-ED5B-07D7-c964475647AD /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /t REG_BINARY /d A4000000000003030312D3836382D3030364475647ADD383535353700AA0000005831352D3333000000000000000C3AABFED5BBA18B8878E89DED5B000000000000396CC459BD030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007D76736 /f
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\net.exe
    net start wuauserv
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start wuauserv
      4⤵
      PID:4328
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe /accepteula
    3⤵
    - Executes dropped EXE
    PID:3208
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe
    3⤵
    - Executes dropped EXE
    PID:4932
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe /accepteula
    3⤵
    - Executes dropped EXE
    PID:5000
- - C:\antiOS\Volumeid64.exe
    C:\antiOS\Volumeid64.exe C: C290-69B1
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007" /v NetworkAddress /d 000D10837448 /f
    3⤵
    PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistribution\(3)D.exe

Filesize
90KB

MD5
4298d529dec1c56798c51f9c89844fee

SHA1
7a16376dad62ac9901b7b411cb641259fcf5b737

SHA256
f3903193f027c7c28eddfa28be50faed737b4e679d5a27a27210ccf925be4b02

SHA512
7c6db1a0d2c752a4659a0a38b2476d872d6eeaedd53f946215b31c271b0d2bda1fe5016f0073907cf5079c1f45f2766ea2ee1e7a64b26b9179d85c8de1d4555e

Download Submit
C:\ProgramData\SoftwareDistribution\(3)D.exe

Filesize
90KB

MD5
4298d529dec1c56798c51f9c89844fee

SHA1
7a16376dad62ac9901b7b411cb641259fcf5b737

SHA256
f3903193f027c7c28eddfa28be50faed737b4e679d5a27a27210ccf925be4b02

SHA512
7c6db1a0d2c752a4659a0a38b2476d872d6eeaedd53f946215b31c271b0d2bda1fe5016f0073907cf5079c1f45f2766ea2ee1e7a64b26b9179d85c8de1d4555e

Download Submit
C:\ProgramData\SoftwareDistribution\(3)D.exe

Filesize
90KB

MD5
4298d529dec1c56798c51f9c89844fee

SHA1
7a16376dad62ac9901b7b411cb641259fcf5b737

SHA256
f3903193f027c7c28eddfa28be50faed737b4e679d5a27a27210ccf925be4b02

SHA512
7c6db1a0d2c752a4659a0a38b2476d872d6eeaedd53f946215b31c271b0d2bda1fe5016f0073907cf5079c1f45f2766ea2ee1e7a64b26b9179d85c8de1d4555e

Download Submit
C:\ProgramData\SoftwareDistribution\(3)D.exe

Filesize
90KB

MD5
4298d529dec1c56798c51f9c89844fee

SHA1
7a16376dad62ac9901b7b411cb641259fcf5b737

SHA256
f3903193f027c7c28eddfa28be50faed737b4e679d5a27a27210ccf925be4b02

SHA512
7c6db1a0d2c752a4659a0a38b2476d872d6eeaedd53f946215b31c271b0d2bda1fe5016f0073907cf5079c1f45f2766ea2ee1e7a64b26b9179d85c8de1d4555e

Download Submit
C:\ProgramData\SoftwareDistribution\(4)E.exe

Filesize
90KB

MD5
f0c15627354791c1296d8d86e6bb4622

SHA1
689745b509f2c7b2805954a361a2e1f71a36849c

SHA256
b16729792c3cac0f0d412309658d3605c417eb4f624567b0e37d3675d72ddf7a

SHA512
55d50a4f81d7f415b67b2e4899febb6677806b097613597b4780e1ccd7d46682753b877997312be61a4a49091219c407ee55d0acdaea85f58407f9b209ae864d

Download Submit
C:\ProgramData\SoftwareDistribution\(4)E.exe

Filesize
90KB

MD5
f0c15627354791c1296d8d86e6bb4622

SHA1
689745b509f2c7b2805954a361a2e1f71a36849c

SHA256
b16729792c3cac0f0d412309658d3605c417eb4f624567b0e37d3675d72ddf7a

SHA512
55d50a4f81d7f415b67b2e4899febb6677806b097613597b4780e1ccd7d46682753b877997312be61a4a49091219c407ee55d0acdaea85f58407f9b209ae864d

Download Submit
C:\ProgramData\SoftwareDistribution\(4)E.exe

Filesize
90KB

MD5
f0c15627354791c1296d8d86e6bb4622

SHA1
689745b509f2c7b2805954a361a2e1f71a36849c

SHA256
b16729792c3cac0f0d412309658d3605c417eb4f624567b0e37d3675d72ddf7a

SHA512
55d50a4f81d7f415b67b2e4899febb6677806b097613597b4780e1ccd7d46682753b877997312be61a4a49091219c407ee55d0acdaea85f58407f9b209ae864d

Download Submit
C:\ProgramData\SoftwareDistribution\(4)E.exe

Filesize
90KB

MD5
f0c15627354791c1296d8d86e6bb4622

SHA1
689745b509f2c7b2805954a361a2e1f71a36849c

SHA256
b16729792c3cac0f0d412309658d3605c417eb4f624567b0e37d3675d72ddf7a

SHA512
55d50a4f81d7f415b67b2e4899febb6677806b097613597b4780e1ccd7d46682753b877997312be61a4a49091219c407ee55d0acdaea85f58407f9b209ae864d

Download Submit
C:\ProgramData\SoftwareDistribution\(5)F.exe

Filesize
90KB

MD5
4c509f7b464f512b1075b2492a3f968f

SHA1
01166d44f3cadf6c169fc940185cc9d7526d102e

SHA256
45bb3164d993cfdaf0041ab9f859a35342303e01d5c26b821e32ed5c22412f68

SHA512
c36915116813005ffc23ecb6093f2fa6de76d5d9d4645c96244bcc17c6e3a8c9d41e0d73dbea5f1811f93b4bcdc06c70ff390acf41b6b736ad9e56ad003e5d34

Download Submit
C:\ProgramData\SoftwareDistribution\(5)F.exe

Filesize
90KB

MD5
4c509f7b464f512b1075b2492a3f968f

SHA1
01166d44f3cadf6c169fc940185cc9d7526d102e

SHA256
45bb3164d993cfdaf0041ab9f859a35342303e01d5c26b821e32ed5c22412f68

SHA512
c36915116813005ffc23ecb6093f2fa6de76d5d9d4645c96244bcc17c6e3a8c9d41e0d73dbea5f1811f93b4bcdc06c70ff390acf41b6b736ad9e56ad003e5d34

Download Submit
C:\ProgramData\SoftwareDistribution\(5)F.exe

Filesize
90KB

MD5
4c509f7b464f512b1075b2492a3f968f

SHA1
01166d44f3cadf6c169fc940185cc9d7526d102e

SHA256
45bb3164d993cfdaf0041ab9f859a35342303e01d5c26b821e32ed5c22412f68

SHA512
c36915116813005ffc23ecb6093f2fa6de76d5d9d4645c96244bcc17c6e3a8c9d41e0d73dbea5f1811f93b4bcdc06c70ff390acf41b6b736ad9e56ad003e5d34

Download Submit
C:\ProgramData\SoftwareDistribution\(5)F.exe

Filesize
90KB

MD5
4c509f7b464f512b1075b2492a3f968f

SHA1
01166d44f3cadf6c169fc940185cc9d7526d102e

SHA256
45bb3164d993cfdaf0041ab9f859a35342303e01d5c26b821e32ed5c22412f68

SHA512
c36915116813005ffc23ecb6093f2fa6de76d5d9d4645c96244bcc17c6e3a8c9d41e0d73dbea5f1811f93b4bcdc06c70ff390acf41b6b736ad9e56ad003e5d34

Download Submit
C:\ProgramData\SoftwareDistribution\(7)TiskKill.exe

Filesize
87KB

MD5
df811db403a59b6d420f0173a6d7926c

SHA1
498478a70258594aa8c49bb1c044a48ea5a1ab00

SHA256
a846fe30d710c9142f770d9f75f02e0a3a2364494a9a518d930a7b0bc0905a9a

SHA512
e85ba7c819205b1a169092755d098d87e65c23db7aa2252c8f5ceada07595107879d03243b4c4cc72b2b10efe379cf3e1749ac8bf9ba3b80c1c798de987df92d

Download Submit
C:\ProgramData\SoftwareDistribution\(7)TiskKill.exe

Filesize
87KB

MD5
df811db403a59b6d420f0173a6d7926c

SHA1
498478a70258594aa8c49bb1c044a48ea5a1ab00

SHA256
a846fe30d710c9142f770d9f75f02e0a3a2364494a9a518d930a7b0bc0905a9a

SHA512
e85ba7c819205b1a169092755d098d87e65c23db7aa2252c8f5ceada07595107879d03243b4c4cc72b2b10efe379cf3e1749ac8bf9ba3b80c1c798de987df92d

Download Submit
C:\ProgramData\SoftwareDistribution\(7)TiskKill.exe

Filesize
87KB

MD5
df811db403a59b6d420f0173a6d7926c

SHA1
498478a70258594aa8c49bb1c044a48ea5a1ab00

SHA256
a846fe30d710c9142f770d9f75f02e0a3a2364494a9a518d930a7b0bc0905a9a

SHA512
e85ba7c819205b1a169092755d098d87e65c23db7aa2252c8f5ceada07595107879d03243b4c4cc72b2b10efe379cf3e1749ac8bf9ba3b80c1c798de987df92d

Download Submit
C:\ProgramData\SoftwareDistribution\(7)TiskKill.exe

Filesize
87KB

MD5
df811db403a59b6d420f0173a6d7926c

SHA1
498478a70258594aa8c49bb1c044a48ea5a1ab00

SHA256
a846fe30d710c9142f770d9f75f02e0a3a2364494a9a518d930a7b0bc0905a9a

SHA512
e85ba7c819205b1a169092755d098d87e65c23db7aa2252c8f5ceada07595107879d03243b4c4cc72b2b10efe379cf3e1749ac8bf9ba3b80c1c798de987df92d

Download Submit
C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe

Filesize
157KB

MD5
b0abe5b0254f8d2619952e3d718bc9a1

SHA1
83d61524e810bac8050420acb4ce11a7ff14de9e

SHA256
2101634c64bb96f49d3a0ab1f606ab4e7fa3bbd745d5602ddac274111e5e00b6

SHA512
e730570af15e82b47bcdd52fe7475d24f493e4fd0820ccf33553d3d40e80a0926aa1794700ac139865bf10a62fe0c82444035085d165805834c3cf3cfc5c1c15

Download Submit
C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe

Filesize
157KB

MD5
b0abe5b0254f8d2619952e3d718bc9a1

SHA1
83d61524e810bac8050420acb4ce11a7ff14de9e

SHA256
2101634c64bb96f49d3a0ab1f606ab4e7fa3bbd745d5602ddac274111e5e00b6

SHA512
e730570af15e82b47bcdd52fe7475d24f493e4fd0820ccf33553d3d40e80a0926aa1794700ac139865bf10a62fe0c82444035085d165805834c3cf3cfc5c1c15

Download Submit
C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe

Filesize
157KB

MD5
b0abe5b0254f8d2619952e3d718bc9a1

SHA1
83d61524e810bac8050420acb4ce11a7ff14de9e

SHA256
2101634c64bb96f49d3a0ab1f606ab4e7fa3bbd745d5602ddac274111e5e00b6

SHA512
e730570af15e82b47bcdd52fe7475d24f493e4fd0820ccf33553d3d40e80a0926aa1794700ac139865bf10a62fe0c82444035085d165805834c3cf3cfc5c1c15

Download Submit
C:\ProgramData\SoftwareDistribution\MicrosoftLogs.exe

Filesize
157KB

MD5
b0abe5b0254f8d2619952e3d718bc9a1

SHA1
83d61524e810bac8050420acb4ce11a7ff14de9e

SHA256
2101634c64bb96f49d3a0ab1f606ab4e7fa3bbd745d5602ddac274111e5e00b6

SHA512
e730570af15e82b47bcdd52fe7475d24f493e4fd0820ccf33553d3d40e80a0926aa1794700ac139865bf10a62fe0c82444035085d165805834c3cf3cfc5c1c15

Download Submit
C:\ProgramData\SoftwareDistribution\OS.bat

Filesize
16KB

MD5
b862dc18754b2a3449af25a40df09ed8

SHA1
1f1a4d1cd156a0ea13a9ea9c7712150e6528b8e8

SHA256
5e600769f979154832b34b831e3322b0ba164af671e40110e2a71a9359d6c24c

SHA512
89768117a87124e93d42d22e18342b27496af7bf9d0f93b51b2609c14d098340c3767a9a0d59526d5a7358e2b07a8faae33df90ee2a7673717d02cfcd23dc2f7

Download Submit
C:\ProgramData\SoftwareDistribution\OS.bat

Filesize
16KB

MD5
b862dc18754b2a3449af25a40df09ed8

SHA1
1f1a4d1cd156a0ea13a9ea9c7712150e6528b8e8

SHA256
5e600769f979154832b34b831e3322b0ba164af671e40110e2a71a9359d6c24c

SHA512
89768117a87124e93d42d22e18342b27496af7bf9d0f93b51b2609c14d098340c3767a9a0d59526d5a7358e2b07a8faae33df90ee2a7673717d02cfcd23dc2f7

Download Submit
C:\ProgramData\SoftwareDistribution\ssu.exe

Filesize
408KB

MD5
b300ceae379544d8ffbf6d2b6eeb1f6a

SHA1
0976ed9db45832f05e560b8dcca0782cd72e8b1d

SHA256
e1182deec71195e11fd4580f435dc461dd194a3ae9954dc441235c2f138377e1

SHA512
0012bf10e60411d6c5e71ab161e0deb0c505e029639eaa1919420558f465d01af34c68f2ae79b8b771b0d61b589eaf364978f0a42fd1139153e61658f7248d20

Download Submit
C:\ProgramData\SoftwareDistribution\ssu.exe

Filesize
408KB

MD5
b300ceae379544d8ffbf6d2b6eeb1f6a

SHA1
0976ed9db45832f05e560b8dcca0782cd72e8b1d

SHA256
e1182deec71195e11fd4580f435dc461dd194a3ae9954dc441235c2f138377e1

SHA512
0012bf10e60411d6c5e71ab161e0deb0c505e029639eaa1919420558f465d01af34c68f2ae79b8b771b0d61b589eaf364978f0a42fd1139153e61658f7248d20

Download Submit
C:\ProgramData\SoftwareDistribution\ssu.exe

Filesize
408KB

MD5
b300ceae379544d8ffbf6d2b6eeb1f6a

SHA1
0976ed9db45832f05e560b8dcca0782cd72e8b1d

SHA256
e1182deec71195e11fd4580f435dc461dd194a3ae9954dc441235c2f138377e1

SHA512
0012bf10e60411d6c5e71ab161e0deb0c505e029639eaa1919420558f465d01af34c68f2ae79b8b771b0d61b589eaf364978f0a42fd1139153e61658f7248d20

Download Submit
C:\ProgramData\SoftwareDistribution\ssu.exe

Filesize
408KB

MD5
b300ceae379544d8ffbf6d2b6eeb1f6a

SHA1
0976ed9db45832f05e560b8dcca0782cd72e8b1d

SHA256
e1182deec71195e11fd4580f435dc461dd194a3ae9954dc441235c2f138377e1

SHA512
0012bf10e60411d6c5e71ab161e0deb0c505e029639eaa1919420558f465d01af34c68f2ae79b8b771b0d61b589eaf364978f0a42fd1139153e61658f7248d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EC1.tmp\2EC2.tmp\2EC3.bat

Filesize
2KB

MD5
87ad2f7056931e0f4a02b26088ba5d88

SHA1
5bf086adfffece774201b046fea373e1c598b57d

SHA256
f2142ea4b18e03798486a5ac097392cf7a33589b400412672469693521618dca

SHA512
dfa8573aea6ec133e3a06d75e680c34c3046b9e2a8bf447a18ed9007ced8c5a37a7ef280b9fe5f46a52e060ccdeb3d8ec1c7d59ac3f0ed97ec4b342c1d92a429

Download Submit
C:\Users\Admin\AppData\Local\Temp\2EC1.tmp\2EC2.tmp\2EC3.bat

Filesize
2KB

MD5
87ad2f7056931e0f4a02b26088ba5d88

SHA1
5bf086adfffece774201b046fea373e1c598b57d

SHA256
f2142ea4b18e03798486a5ac097392cf7a33589b400412672469693521618dca

SHA512
dfa8573aea6ec133e3a06d75e680c34c3046b9e2a8bf447a18ed9007ced8c5a37a7ef280b9fe5f46a52e060ccdeb3d8ec1c7d59ac3f0ed97ec4b342c1d92a429

Download Submit
C:\Users\Admin\AppData\Local\Temp\36DF.tmp\36E0.tmp\36E1.bat

Filesize
2KB

MD5
906a599e1ce4b10b1ff4e8b5f9cdf7ae

SHA1
0e285bd269bf7d24cb98bab8e91c5003762d754a

SHA256
68cc4c4aeb7dafc4e9ec9334384dfe3ffabe1b92ba973fece26fee21e6d89467

SHA512
e619539601b3726333d8dfafbef9d08e60976ca12a28b28361ed3ab6c52e078ef9a1c7b88942abf257e6b29d28cb651e29b87a27255c3ed0c43f295de39eb6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\36DF.tmp\36E0.tmp\36E1.bat

Filesize
2KB

MD5
906a599e1ce4b10b1ff4e8b5f9cdf7ae

SHA1
0e285bd269bf7d24cb98bab8e91c5003762d754a

SHA256
68cc4c4aeb7dafc4e9ec9334384dfe3ffabe1b92ba973fece26fee21e6d89467

SHA512
e619539601b3726333d8dfafbef9d08e60976ca12a28b28361ed3ab6c52e078ef9a1c7b88942abf257e6b29d28cb651e29b87a27255c3ed0c43f295de39eb6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ECE.tmp\3ECF.tmp\3ED0.bat

Filesize
2KB

MD5
cc67ad8e27c483af2fb299236ddcb7c2

SHA1
b5303fbd0acc6c0aec1cd076cd75911489f665c3

SHA256
17a567915c13c10c1ed5eead97780db78f6e45329377e6ddcf0c0cdc113c65d9

SHA512
e0bca0facabe92ccc8c625e6a4926746bfc4f01de0358762cca24c52fd79ded7e8eb25ca9c074d9308cc3d504f27c12fd33de23ff0f5c53aedb7e9a47d44d69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ECE.tmp\3ECF.tmp\3ED0.bat

Filesize
2KB

MD5
cc67ad8e27c483af2fb299236ddcb7c2

SHA1
b5303fbd0acc6c0aec1cd076cd75911489f665c3

SHA256
17a567915c13c10c1ed5eead97780db78f6e45329377e6ddcf0c0cdc113c65d9

SHA512
e0bca0facabe92ccc8c625e6a4926746bfc4f01de0358762cca24c52fd79ded7e8eb25ca9c074d9308cc3d504f27c12fd33de23ff0f5c53aedb7e9a47d44d69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F0A.tmp\4F0B.tmp\4F0C.bat

Filesize
217B

MD5
e580cbce36a7476bdeb5e2c349e4c25c

SHA1
4d14c999a36707e9f0648c88e5eaafa370c47ff1

SHA256
4d9602bd8928e68544640486f01a5a72078caf6ac32a53d35b26126d4c9809fa

SHA512
309c07dcd9afac84b36353cfb235a1e6effa04e4e6a6b7f400c820accea83ff618764774159379536522f9998511b286e00bd90e54d518dcb6b1c89402e79f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\4F0A.tmp\4F0B.tmp\4F0C.bat

Filesize
217B

MD5
e580cbce36a7476bdeb5e2c349e4c25c

SHA1
4d14c999a36707e9f0648c88e5eaafa370c47ff1

SHA256
4d9602bd8928e68544640486f01a5a72078caf6ac32a53d35b26126d4c9809fa

SHA512
309c07dcd9afac84b36353cfb235a1e6effa04e4e6a6b7f400c820accea83ff618764774159379536522f9998511b286e00bd90e54d518dcb6b1c89402e79f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F95.tmp\5F96.tmp\5F97.bat

Filesize
2KB

MD5
0a21964af75b7457c92e8ccb5b24bc02

SHA1
4b7db83d0509df5e6b030cce90d62331b28c425b

SHA256
fac939ddd19dc104ce2d9fe8f66a2693f78e0e5570d2ed5c7b3f0baa5501bcd6

SHA512
a3dfdfbd3121f1888a7d86abcdf661b1bb912e7430377fbc35f0479869bf9458b7759a0798165b01a45b7d8630f4b73469066be4b96b244846178e483d2b991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F95.tmp\5F96.tmp\5F97.bat

Filesize
2KB

MD5
0a21964af75b7457c92e8ccb5b24bc02

SHA1
4b7db83d0509df5e6b030cce90d62331b28c425b

SHA256
fac939ddd19dc104ce2d9fe8f66a2693f78e0e5570d2ed5c7b3f0baa5501bcd6

SHA512
a3dfdfbd3121f1888a7d86abcdf661b1bb912e7430377fbc35f0479869bf9458b7759a0798165b01a45b7d8630f4b73469066be4b96b244846178e483d2b991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\At.exe

Filesize
6KB

MD5
7a83dfc93e79a3764b20b6f87e761267

SHA1
c8f79a0bf7a9e67f078a789dd95aa69f59a318ca

SHA256
47e2bc9bbe01cd162a998310be62a62e10471a88f7d6bf1cddb8ecf0db3a639a

SHA512
21e0e2974bd0c6febea0c9b402d4408e763fe7df2b7efff5233a9a12ad3b707a78904ef277abf686ce01782a06753dd3d7b626408d39d67ab326797d9e539b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\At.exe

Filesize
6KB

MD5
7a83dfc93e79a3764b20b6f87e761267

SHA1
c8f79a0bf7a9e67f078a789dd95aa69f59a318ca

SHA256
47e2bc9bbe01cd162a998310be62a62e10471a88f7d6bf1cddb8ecf0db3a639a

SHA512
21e0e2974bd0c6febea0c9b402d4408e763fe7df2b7efff5233a9a12ad3b707a78904ef277abf686ce01782a06753dd3d7b626408d39d67ab326797d9e539b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\At.exe

Filesize
6KB

MD5
7a83dfc93e79a3764b20b6f87e761267

SHA1
c8f79a0bf7a9e67f078a789dd95aa69f59a318ca

SHA256
47e2bc9bbe01cd162a998310be62a62e10471a88f7d6bf1cddb8ecf0db3a639a

SHA512
21e0e2974bd0c6febea0c9b402d4408e763fe7df2b7efff5233a9a12ad3b707a78904ef277abf686ce01782a06753dd3d7b626408d39d67ab326797d9e539b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\At.exe

Filesize
6KB

MD5
7a83dfc93e79a3764b20b6f87e761267

SHA1
c8f79a0bf7a9e67f078a789dd95aa69f59a318ca

SHA256
47e2bc9bbe01cd162a998310be62a62e10471a88f7d6bf1cddb8ecf0db3a639a

SHA512
21e0e2974bd0c6febea0c9b402d4408e763fe7df2b7efff5233a9a12ad3b707a78904ef277abf686ce01782a06753dd3d7b626408d39d67ab326797d9e539b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0E6.tmp\B0E7.tmp\B0E8.bat

Filesize
3KB

MD5
f19a220d54798c7ac2bd737ffcbef066

SHA1
b03a54f6ae29a35b7d2acc25d6f94a3eaed5725f

SHA256
0f0f01751bde3fe2524f5f3a061c05958b327c359fc8ce5643dd470e38a0c929

SHA512
e7ece5da56ee73a14fd1fb85b6536d87717afa7e37d6a43da5dcef0d1562a28f101a4350290b46c1a5fdb503e43ba95c40979cf8a188a428bc41cfd0bf1382d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0E6.tmp\B0E7.tmp\B0E8.bat

Filesize
3KB

MD5
f19a220d54798c7ac2bd737ffcbef066

SHA1
b03a54f6ae29a35b7d2acc25d6f94a3eaed5725f

SHA256
0f0f01751bde3fe2524f5f3a061c05958b327c359fc8ce5643dd470e38a0c929

SHA512
e7ece5da56ee73a14fd1fb85b6536d87717afa7e37d6a43da5dcef0d1562a28f101a4350290b46c1a5fdb503e43ba95c40979cf8a188a428bc41cfd0bf1382d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2CA.tmp\B2CB.tmp\B2CC.bat

Filesize
226B

MD5
9a9b63363859ed86d14cfb709ec6e9b0

SHA1
026387ad72417fa9997e9e88c5c147f06a420fc6

SHA256
ac17d99ee2b03f27a89fb410ff4f9cfebc4d6674cbbc9d273738b5575988e7cf

SHA512
d56b4909d193934fe3a2b51dd65016615d70fc018cd0c9215a178e82045a7f315def4345db7343017b076aee6964fdb07604c45ca253b29f4149812b03831869

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2CA.tmp\B2CB.tmp\B2CC.bat

Filesize
226B

MD5
9a9b63363859ed86d14cfb709ec6e9b0

SHA1
026387ad72417fa9997e9e88c5c147f06a420fc6

SHA256
ac17d99ee2b03f27a89fb410ff4f9cfebc4d6674cbbc9d273738b5575988e7cf

SHA512
d56b4909d193934fe3a2b51dd65016615d70fc018cd0c9215a178e82045a7f315def4345db7343017b076aee6964fdb07604c45ca253b29f4149812b03831869

Download Submit
C:\Users\Admin\AppData\Local\Temp\C180.tmp\C181.tmp\C182.bat

Filesize
405B

MD5
05de1dae5e34444a22abe9e587b8c2ed

SHA1
55407b2fb1132d68d75960255e1a87198eb7c86f

SHA256
f5b8428dee5107c5721d4a2ad1b4dfd040ec4381384d983bb2804ed3aa4643d8

SHA512
5cb1eddc5520491f403ecc6fcde4d9cd8ba8be49642b3d31ab047875e9a0702257039aa33423b4203b0a4ee8b13fda8fada7dd53e6d44d0323032e9a9197c20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C180.tmp\C181.tmp\C182.bat

Filesize
405B

MD5
05de1dae5e34444a22abe9e587b8c2ed

SHA1
55407b2fb1132d68d75960255e1a87198eb7c86f

SHA256
f5b8428dee5107c5721d4a2ad1b4dfd040ec4381384d983bb2804ed3aa4643d8

SHA512
5cb1eddc5520491f403ecc6fcde4d9cd8ba8be49642b3d31ab047875e9a0702257039aa33423b4203b0a4ee8b13fda8fada7dd53e6d44d0323032e9a9197c20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe

Filesize
56KB

MD5
fe768b97eaf316452558e7e60ddae3f7

SHA1
2863f81516e72950431c6e3a42c8d7d1f31f6a04

SHA256
55183466f502aac15d426933e123783bbf0250e9908760fcbb6dff1550d1f680

SHA512
a80eac189662756a09be09efa4303f2f230d51e37f6e38ff7198e18166b07ade9753dece4bbd2785a5a90ee5371353bce467671d30dc2bf16a5c13bcbaab2801

Download Submit
C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe

Filesize
56KB

MD5
fe768b97eaf316452558e7e60ddae3f7

SHA1
2863f81516e72950431c6e3a42c8d7d1f31f6a04

SHA256
55183466f502aac15d426933e123783bbf0250e9908760fcbb6dff1550d1f680

SHA512
a80eac189662756a09be09efa4303f2f230d51e37f6e38ff7198e18166b07ade9753dece4bbd2785a5a90ee5371353bce467671d30dc2bf16a5c13bcbaab2801

Download Submit
C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe

Filesize
56KB

MD5
fe768b97eaf316452558e7e60ddae3f7

SHA1
2863f81516e72950431c6e3a42c8d7d1f31f6a04

SHA256
55183466f502aac15d426933e123783bbf0250e9908760fcbb6dff1550d1f680

SHA512
a80eac189662756a09be09efa4303f2f230d51e37f6e38ff7198e18166b07ade9753dece4bbd2785a5a90ee5371353bce467671d30dc2bf16a5c13bcbaab2801

Download Submit
C:\Users\Admin\AppData\Local\Temp\DisableCtrlAltDel.exe

Filesize
56KB

MD5
fe768b97eaf316452558e7e60ddae3f7

SHA1
2863f81516e72950431c6e3a42c8d7d1f31f6a04

SHA256
55183466f502aac15d426933e123783bbf0250e9908760fcbb6dff1550d1f680

SHA512
a80eac189662756a09be09efa4303f2f230d51e37f6e38ff7198e18166b07ade9753dece4bbd2785a5a90ee5371353bce467671d30dc2bf16a5c13bcbaab2801

Download Submit
C:\Users\Admin\AppData\Local\Temp\Make-EXE0\Untitled1.ps1

Filesize
392B

MD5
08ffd0f10f8d3b4eb1b0ffc3acf09667

SHA1
6e457811de6ddc2bb7b7a2696ca1237bf0e697a8

SHA256
95ba5ee92132b05cfb029ff8f8c72614eebf7166f6fa432d762684908fdb778a

SHA512
95e17ee10844c70002a2f19b46cb35491f1a760372debd776e47217e806daa1fb0380705f510ab590431ce7eb1955e4b4f7c5cfb6aa315601062017aa63b616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Make-EXE0\Untitled1.ps1

Filesize
392B

MD5
08ffd0f10f8d3b4eb1b0ffc3acf09667

SHA1
6e457811de6ddc2bb7b7a2696ca1237bf0e697a8

SHA256
95ba5ee92132b05cfb029ff8f8c72614eebf7166f6fa432d762684908fdb778a

SHA512
95e17ee10844c70002a2f19b46cb35491f1a760372debd776e47217e806daa1fb0380705f510ab590431ce7eb1955e4b4f7c5cfb6aa315601062017aa63b616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB877.tmp

Filesize
1KB

MD5
1987129a9b4d9f059d6d5b4df517740f

SHA1
10443c0a02ad29007306458ef30b3582a29e739d

SHA256
416c2c2f6fde6cc062059b8b7006ee781674a0d2044cf90a6dfe3f72b711a2bc

SHA512
df57c7a413f75c01da69906ae5805502605ce9d178b268b68a71c3e6d8daae1791ae612f40aa786693a88a85012b548f01c2aea6f2b6f8597f26b6d153a45b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB877.tmp

Filesize
1KB

MD5
1987129a9b4d9f059d6d5b4df517740f

SHA1
10443c0a02ad29007306458ef30b3582a29e739d

SHA256
416c2c2f6fde6cc062059b8b7006ee781674a0d2044cf90a6dfe3f72b711a2bc

SHA512
df57c7a413f75c01da69906ae5805502605ce9d178b268b68a71c3e6d8daae1791ae612f40aa786693a88a85012b548f01c2aea6f2b6f8597f26b6d153a45b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin.exe

Filesize
368KB

MD5
2a9f489fa0834b84b16bd6c8ceab69c5

SHA1
85905cb94b4f4ebc9eb9a9627a6dc7e217537205

SHA256
0e73fa53b6251a40937c44efca836c17a1b8cf6e7991258b4b1973c9129f1177

SHA512
2913929a37f50d9f945c5764841a29fa95ac62cc0943ea7493d726005b19cb936a30bbfad69724cb76f77d250eabd78e6af7936b5c3033bf5eba6675f0ef0f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amidewin64.exe

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Local\Temp\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.dll

Filesize
3KB

MD5
37a98fb9b3757653453fb8e54e82be2a

SHA1
9a6eb1de7c82389d5d6156bcbe1072c11c268618

SHA256
b1acea3773f8f4f1a5e841831d39294a9a1472ae1bad48c562746bbfd04c5390

SHA512
ed76f60419bc6b5aca66f215fb5029596776fa5450958c2ada4bf60254908a73c2441e62d996e7d71696d81661b3937614c22992d1cd43ade330ce627e38e963

Download Submit
C:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.dll

Filesize
3KB

MD5
37a98fb9b3757653453fb8e54e82be2a

SHA1
9a6eb1de7c82389d5d6156bcbe1072c11c268618

SHA256
b1acea3773f8f4f1a5e841831d39294a9a1472ae1bad48c562746bbfd04c5390

SHA512
ed76f60419bc6b5aca66f215fb5029596776fa5450958c2ada4bf60254908a73c2441e62d996e7d71696d81661b3937614c22992d1cd43ade330ce627e38e963

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.exe

Filesize
103KB

MD5
8e22afbd3e12ac2be4d9ca11d7053565

SHA1
c42271e81d7180dac7b92751d3c5262669afe771

SHA256
0c49a3468816dde22763ac52d3c5d901054173442a7aa1455ac8beb339f92fd9

SHA512
227f5c4b2997b4bd3226afabc8a04f2ad00a47c2a3a810accaa2dae6647b12487b3142a09ad08ffc21082678d8fd8824974af08dcb9403bf3fa9835b318e09f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.exe

Filesize
103KB

MD5
8e22afbd3e12ac2be4d9ca11d7053565

SHA1
c42271e81d7180dac7b92751d3c5262669afe771

SHA256
0c49a3468816dde22763ac52d3c5d901054173442a7aa1455ac8beb339f92fd9

SHA512
227f5c4b2997b4bd3226afabc8a04f2ad00a47c2a3a810accaa2dae6647b12487b3142a09ad08ffc21082678d8fd8824974af08dcb9403bf3fa9835b318e09f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.exe

Filesize
103KB

MD5
8e22afbd3e12ac2be4d9ca11d7053565

SHA1
c42271e81d7180dac7b92751d3c5262669afe771

SHA256
0c49a3468816dde22763ac52d3c5d901054173442a7aa1455ac8beb339f92fd9

SHA512
227f5c4b2997b4bd3226afabc8a04f2ad00a47c2a3a810accaa2dae6647b12487b3142a09ad08ffc21082678d8fd8824974af08dcb9403bf3fa9835b318e09f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\user.exe

Filesize
103KB

MD5
8e22afbd3e12ac2be4d9ca11d7053565

SHA1
c42271e81d7180dac7b92751d3c5262669afe771

SHA256
0c49a3468816dde22763ac52d3c5d901054173442a7aa1455ac8beb339f92fd9

SHA512
227f5c4b2997b4bd3226afabc8a04f2ad00a47c2a3a810accaa2dae6647b12487b3142a09ad08ffc21082678d8fd8824974af08dcb9403bf3fa9835b318e09f0

Download Submit
C:\antiOS\Mac.exe

Filesize
91KB

MD5
8bcea47c8154a9f6359da1cc64e1597a

SHA1
e46a7ef85a61fb98e164717e845e872bd8e4d088

SHA256
c210abd1ab842704e92dcc1b979d3f51f8ed46a3d268e2beb47f152e4e67b99e

SHA512
2df5a9636af0a7c23ff2171026e86310321d9bbbbb328d806bd0cef4961b44eb85f3f3164dbd095a306313c832bae1d5b52bb86870bd833edfe160532642909b

Download Submit
C:\antiOS\Mac.exe

Filesize
91KB

MD5
8bcea47c8154a9f6359da1cc64e1597a

SHA1
e46a7ef85a61fb98e164717e845e872bd8e4d088

SHA256
c210abd1ab842704e92dcc1b979d3f51f8ed46a3d268e2beb47f152e4e67b99e

SHA512
2df5a9636af0a7c23ff2171026e86310321d9bbbbb328d806bd0cef4961b44eb85f3f3164dbd095a306313c832bae1d5b52bb86870bd833edfe160532642909b

Download Submit
C:\antiOS\Mac.exe

Filesize
91KB

MD5
8bcea47c8154a9f6359da1cc64e1597a

SHA1
e46a7ef85a61fb98e164717e845e872bd8e4d088

SHA256
c210abd1ab842704e92dcc1b979d3f51f8ed46a3d268e2beb47f152e4e67b99e

SHA512
2df5a9636af0a7c23ff2171026e86310321d9bbbbb328d806bd0cef4961b44eb85f3f3164dbd095a306313c832bae1d5b52bb86870bd833edfe160532642909b

Download Submit
C:\antiOS\Mac.exe

Filesize
91KB

MD5
8bcea47c8154a9f6359da1cc64e1597a

SHA1
e46a7ef85a61fb98e164717e845e872bd8e4d088

SHA256
c210abd1ab842704e92dcc1b979d3f51f8ed46a3d268e2beb47f152e4e67b99e

SHA512
2df5a9636af0a7c23ff2171026e86310321d9bbbbb328d806bd0cef4961b44eb85f3f3164dbd095a306313c832bae1d5b52bb86870bd833edfe160532642909b

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\Volumeid64.exe

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\antiOS\host.txt

Filesize
2KB

MD5
8c1e23bbedd7d0951217fc095fecbd48

SHA1
b7c0323f215dcfbc35f32a178ac4dc3527553b1a

SHA256
9ba787ee2824879e68501320fb59d4f7925afb0390a84dd0c32dda7740909b33

SHA512
4c05fd76e7c3bf580625cba6c49b5c8401dccd63d83afbae34bd01c81945aa82155c7b436f18286eb42542107160c3c9006f9535a7bcee67787dd30e16e68ace

Download Submit
C:\antiOS\host.txt

Filesize
2KB

MD5
8c1e23bbedd7d0951217fc095fecbd48

SHA1
b7c0323f215dcfbc35f32a178ac4dc3527553b1a

SHA256
9ba787ee2824879e68501320fb59d4f7925afb0390a84dd0c32dda7740909b33

SHA512
4c05fd76e7c3bf580625cba6c49b5c8401dccd63d83afbae34bd01c81945aa82155c7b436f18286eb42542107160c3c9006f9535a7bcee67787dd30e16e68ace

Download Submit
C:\antiOS\mac.txt

Filesize
157KB

MD5
031ea2f82b7e23bff1d077fe8db1cfb5

SHA1
e5f99fa46093d23e871ffa3ac62644519453bcfa

SHA256
c87f35df9e5109c7be9cb970e101ca47e268daecfb967fe07281ac482183d297

SHA512
37e288d8cc50c3c8a76ec0d6d9f9cc4da6e7d4a32852ff83c5d73d93220fcaa049004a07358ac3238dacfaca1e3db49fb9f9ea2a9665d77951816ed8464890fe

Download Submit
C:\antiOS\mac.txt

Filesize
157KB

MD5
031ea2f82b7e23bff1d077fe8db1cfb5

SHA1
e5f99fa46093d23e871ffa3ac62644519453bcfa

SHA256
c87f35df9e5109c7be9cb970e101ca47e268daecfb967fe07281ac482183d297

SHA512
37e288d8cc50c3c8a76ec0d6d9f9cc4da6e7d4a32852ff83c5d73d93220fcaa049004a07358ac3238dacfaca1e3db49fb9f9ea2a9665d77951816ed8464890fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\blq4bb52\CSC779FD3DABD954018B223CFE3B9A5499C.TMP

Filesize
652B

MD5
4b96ae49c0455d3d8900eff1f253cf13

SHA1
4374c44b3452928274186072ee9b0924b4ff15eb

SHA256
36b135c10168b3f0cc049c06ae41bb98afba947311c87901625a17581649052e

SHA512
3a1aa77b5f57a4508cb57f4615d5305ea69e6c2e159f1a1a221721307fb5083de5db5fe34547fe0eb20c53a27294adfe24ab964bae11a2211956780b0806a255

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\blq4bb52\CSC779FD3DABD954018B223CFE3B9A5499C.TMP

Filesize
652B

MD5
4b96ae49c0455d3d8900eff1f253cf13

SHA1
4374c44b3452928274186072ee9b0924b4ff15eb

SHA256
36b135c10168b3f0cc049c06ae41bb98afba947311c87901625a17581649052e

SHA512
3a1aa77b5f57a4508cb57f4615d5305ea69e6c2e159f1a1a221721307fb5083de5db5fe34547fe0eb20c53a27294adfe24ab964bae11a2211956780b0806a255

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.0.cs

Filesize
213B

MD5
fd1b8966f1b6ac639be54d4098c56f20

SHA1
aacf8c0ffb03f74ae56ebd11609ea1a3331e498f

SHA256
5762d43712670d1d00b77bd0b94b0ddff2a384ecec27001ece93e6fd38622a52

SHA512
6f0b1222aa1a44c015354d3bd1cb98ecc5f8548f572097e6053910eb935d7182dafd16b7de8711985170f0830bd43a72d4875b9363e6eb515fba48b137bbf30f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.0.cs

Filesize
213B

MD5
fd1b8966f1b6ac639be54d4098c56f20

SHA1
aacf8c0ffb03f74ae56ebd11609ea1a3331e498f

SHA256
5762d43712670d1d00b77bd0b94b0ddff2a384ecec27001ece93e6fd38622a52

SHA512
6f0b1222aa1a44c015354d3bd1cb98ecc5f8548f572097e6053910eb935d7182dafd16b7de8711985170f0830bd43a72d4875b9363e6eb515fba48b137bbf30f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.cmdline

Filesize
369B

MD5
2ab316789f918a2cbfa4d71f95056664

SHA1
ad624ba1336bfe3f2ead7fae0be2ef71425a3869

SHA256
6ad9b0daf01ff22eea90bfe9726a81549d362041ed1b1e1fb46629e5f89a7b5a

SHA512
80378579fd54c8d3c092762c0e1407dea5698041fb1f8633912a3e09af394c33f68ad1c371a95482dfd1405657cc917070b72eab68c7b065b717604904d96801

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\blq4bb52\blq4bb52.cmdline

Filesize
369B

MD5
2ab316789f918a2cbfa4d71f95056664

SHA1
ad624ba1336bfe3f2ead7fae0be2ef71425a3869

SHA256
6ad9b0daf01ff22eea90bfe9726a81549d362041ed1b1e1fb46629e5f89a7b5a

SHA512
80378579fd54c8d3c092762c0e1407dea5698041fb1f8633912a3e09af394c33f68ad1c371a95482dfd1405657cc917070b72eab68c7b065b717604904d96801

Download Submit
memory/228-198-0x0000000000000000-mapping.dmp

Download
memory/228-198-0x0000000000000000-mapping.dmp

Download
memory/244-199-0x0000000000000000-mapping.dmp

Download
memory/244-199-0x0000000000000000-mapping.dmp

Download
memory/332-137-0x0000000000000000-mapping.dmp

Download
memory/332-137-0x0000000000000000-mapping.dmp

Download
memory/460-161-0x0000000000000000-mapping.dmp

Download
memory/460-161-0x0000000000000000-mapping.dmp

Download
memory/892-173-0x0000000000000000-mapping.dmp

Download
memory/892-173-0x0000000000000000-mapping.dmp

Download
memory/948-194-0x0000000000000000-mapping.dmp

Download
memory/948-194-0x0000000000000000-mapping.dmp

Download
memory/1104-193-0x0000000000000000-mapping.dmp

Download
memory/1104-193-0x0000000000000000-mapping.dmp

Download
memory/1232-136-0x0000000000000000-mapping.dmp

Download
memory/1232-136-0x0000000000000000-mapping.dmp

Download
memory/1608-159-0x0000000000000000-mapping.dmp

Download
memory/1608-159-0x0000000000000000-mapping.dmp

Download
memory/1764-154-0x0000027EB8680000-0x0000027EB86A2000-memory.dmp

Filesize
136KB

Download
memory/1764-151-0x0000000000000000-mapping.dmp

Download
memory/1764-162-0x00007FFA01B30000-0x00007FFA025F1000-memory.dmp

Filesize
10.8MB

Download
memory/1764-162-0x00007FFA01B30000-0x00007FFA025F1000-memory.dmp

Filesize
10.8MB

Download
memory/1764-151-0x0000000000000000-mapping.dmp

Download
memory/1764-232-0x00007FFA01B30000-0x00007FFA025F1000-memory.dmp

Filesize
10.8MB

Download
memory/1764-154-0x0000027EB8680000-0x0000027EB86A2000-memory.dmp

Filesize
136KB

Download
memory/1764-232-0x00007FFA01B30000-0x00007FFA025F1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-189-0x0000000000000000-mapping.dmp

Download
memory/1836-189-0x0000000000000000-mapping.dmp

Download
memory/1968-185-0x0000000000000000-mapping.dmp

Download
memory/1968-185-0x0000000000000000-mapping.dmp

Download
memory/2052-206-0x0000000000000000-mapping.dmp

Download
memory/2052-206-0x0000000000000000-mapping.dmp

Download
memory/2248-220-0x0000000000000000-mapping.dmp

Download
memory/2248-220-0x0000000000000000-mapping.dmp

Download
memory/2252-172-0x0000000000000000-mapping.dmp

Download
memory/2252-227-0x0000000000000000-mapping.dmp

Download
memory/2252-172-0x0000000000000000-mapping.dmp

Download
memory/2252-227-0x0000000000000000-mapping.dmp

Download
memory/2332-213-0x0000000000000000-mapping.dmp

Download
memory/2332-163-0x0000000000000000-mapping.dmp

Download
memory/2332-163-0x0000000000000000-mapping.dmp

Download
memory/2332-213-0x0000000000000000-mapping.dmp

Download
memory/2368-224-0x0000000000000000-mapping.dmp

Download
memory/2368-224-0x0000000000000000-mapping.dmp

Download
memory/2416-221-0x0000000000000000-mapping.dmp

Download
memory/2416-221-0x0000000000000000-mapping.dmp

Download
memory/2488-195-0x0000000000000000-mapping.dmp

Download
memory/2488-195-0x0000000000000000-mapping.dmp

Download
memory/2520-174-0x0000000000000000-mapping.dmp

Download
memory/2520-174-0x0000000000000000-mapping.dmp

Download
memory/2560-180-0x0000000000000000-mapping.dmp

Download
memory/2560-180-0x0000000000000000-mapping.dmp

Download
memory/2724-187-0x0000000000000000-mapping.dmp

Download
memory/2724-187-0x0000000000000000-mapping.dmp

Download
memory/2732-202-0x0000000000000000-mapping.dmp

Download
memory/2732-202-0x0000000000000000-mapping.dmp

Download
memory/2888-140-0x0000000000000000-mapping.dmp

Download
memory/2888-140-0x0000000000000000-mapping.dmp

Download
memory/3048-228-0x0000000000000000-mapping.dmp

Download
memory/3048-228-0x0000000000000000-mapping.dmp

Download
memory/3092-200-0x0000000000000000-mapping.dmp

Download
memory/3092-200-0x0000000000000000-mapping.dmp

Download
memory/3168-152-0x00007FFA01A80000-0x00007FFA02541000-memory.dmp

Filesize
10.8MB

Download
memory/3168-150-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/3168-150-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/3168-146-0x0000000000000000-mapping.dmp

Download
memory/3168-146-0x0000000000000000-mapping.dmp

Download
memory/3168-152-0x00007FFA01A80000-0x00007FFA02541000-memory.dmp

Filesize
10.8MB

Download
memory/3372-205-0x0000000000000000-mapping.dmp

Download
memory/3372-205-0x0000000000000000-mapping.dmp

Download
memory/3532-190-0x0000000000000000-mapping.dmp

Download
memory/3532-190-0x0000000000000000-mapping.dmp

Download
memory/3564-204-0x0000000000000000-mapping.dmp

Download
memory/3564-204-0x0000000000000000-mapping.dmp

Download
memory/3568-170-0x0000000000000000-mapping.dmp

Download
memory/3568-170-0x0000000000000000-mapping.dmp

Download
memory/3568-223-0x0000000000000000-mapping.dmp

Download
memory/3568-223-0x0000000000000000-mapping.dmp

Download
memory/3624-209-0x0000000000000000-mapping.dmp

Download
memory/3624-209-0x0000000000000000-mapping.dmp

Download
memory/3664-171-0x0000000000000000-mapping.dmp

Download
memory/3664-171-0x0000000000000000-mapping.dmp

Download
memory/3692-142-0x0000000000000000-mapping.dmp

Download
memory/3692-142-0x0000000000000000-mapping.dmp

Download
memory/3744-157-0x0000000000000000-mapping.dmp

Download
memory/3744-157-0x0000000000000000-mapping.dmp

Download
memory/3748-153-0x0000000000000000-mapping.dmp

Download
memory/3748-153-0x0000000000000000-mapping.dmp

Download
memory/3880-184-0x0000000000000000-mapping.dmp

Download
memory/3880-184-0x0000000000000000-mapping.dmp

Download
memory/3932-256-0x00007FFA08A80000-0x00007FFA08A82000-memory.dmp

Filesize
8KB

Download
memory/3932-256-0x00007FFA08A80000-0x00007FFA08A82000-memory.dmp

Filesize
8KB

Download
memory/3952-178-0x0000000000000000-mapping.dmp

Download
memory/3952-178-0x0000000000000000-mapping.dmp

Download
memory/3976-134-0x0000000007180000-0x0000000007212000-memory.dmp

Filesize
584KB

Download
memory/3976-134-0x0000000007180000-0x0000000007212000-memory.dmp

Filesize
584KB

Download
memory/3976-135-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/3976-135-0x0000000007170000-0x000000000717A000-memory.dmp

Filesize
40KB

Download
memory/3976-133-0x0000000007650000-0x0000000007BF4000-memory.dmp

Filesize
5.6MB

Download
memory/3976-132-0x00000000004F0000-0x00000000005A4000-memory.dmp

Filesize
720KB

Download
memory/3976-133-0x0000000007650000-0x0000000007BF4000-memory.dmp

Filesize
5.6MB

Download
memory/3976-132-0x00000000004F0000-0x00000000005A4000-memory.dmp

Filesize
720KB

Download
memory/3984-192-0x0000000000000000-mapping.dmp

Download
memory/3984-192-0x0000000000000000-mapping.dmp

Download
memory/4100-197-0x0000000000000000-mapping.dmp

Download
memory/4100-197-0x0000000000000000-mapping.dmp

Download
memory/4224-212-0x0000000000000000-mapping.dmp

Download
memory/4224-212-0x0000000000000000-mapping.dmp

Download
memory/4228-167-0x0000000000000000-mapping.dmp

Download
memory/4228-218-0x0000000000000000-mapping.dmp

Download
memory/4228-218-0x0000000000000000-mapping.dmp

Download
memory/4228-167-0x0000000000000000-mapping.dmp

Download
memory/4284-203-0x0000000000000000-mapping.dmp

Download
memory/4284-203-0x0000000000000000-mapping.dmp

Download
memory/4288-230-0x0000000000000000-mapping.dmp

Download
memory/4288-230-0x0000000000000000-mapping.dmp

Download
memory/4396-211-0x0000000000000000-mapping.dmp

Download
memory/4396-211-0x0000000000000000-mapping.dmp

Download
memory/4404-164-0x0000000000000000-mapping.dmp

Download
memory/4404-214-0x0000000000000000-mapping.dmp

Download
memory/4404-214-0x0000000000000000-mapping.dmp

Download
memory/4404-164-0x0000000000000000-mapping.dmp

Download
memory/4464-169-0x0000000000000000-mapping.dmp

Download
memory/4464-169-0x0000000000000000-mapping.dmp

Download
memory/4516-182-0x0000000000000000-mapping.dmp

Download
memory/4516-182-0x0000000000000000-mapping.dmp

Download
memory/4528-207-0x0000000000000000-mapping.dmp

Download
memory/4528-207-0x0000000000000000-mapping.dmp

Download
memory/4572-143-0x0000000000000000-mapping.dmp

Download
memory/4572-143-0x0000000000000000-mapping.dmp

Download
memory/4656-188-0x0000000000000000-mapping.dmp

Download
memory/4656-188-0x0000000000000000-mapping.dmp

Download
memory/4668-175-0x0000000000000000-mapping.dmp

Download
memory/4668-175-0x0000000000000000-mapping.dmp

Download
memory/4712-208-0x0000000000000000-mapping.dmp

Download
memory/4712-208-0x0000000000000000-mapping.dmp

Download
memory/4784-191-0x0000000000000000-mapping.dmp

Download
memory/4784-191-0x0000000000000000-mapping.dmp

Download
memory/4916-148-0x0000000000000000-mapping.dmp

Download
memory/4916-148-0x0000000000000000-mapping.dmp

Download
memory/4948-196-0x0000000000000000-mapping.dmp

Download
memory/4948-196-0x0000000000000000-mapping.dmp

Download
memory/4996-201-0x0000000000000000-mapping.dmp

Download
memory/4996-201-0x0000000000000000-mapping.dmp

Download
memory/5012-179-0x0000000000000000-mapping.dmp

Download
memory/5012-179-0x0000000000000000-mapping.dmp

Download
memory/5084-210-0x0000000000000000-mapping.dmp

Download
memory/5084-210-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads