Malware Analysis Report

2024-09-22 13:39

Sample ID 240620-elb1gaxfnf
Target PhantomSolutions.exe
SHA256 f976368908d75ad474cb16762742852803ae91d1727197a80e9c55ec9e910b89
Tags
evasion execution cerber ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f976368908d75ad474cb16762742852803ae91d1727197a80e9c55ec9e910b89

Threat Level: Known bad

The file PhantomSolutions.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution cerber ransomware themida trojan

Cerber

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Modifies system certificate store

Runs net.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:01

Reported

2024-06-20 04:03

Platform

win7-20240419-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe"

Signatures

Stops running service(s)

evasion execution

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 316 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 316 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 316 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 316 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2880 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2880 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2880 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1132 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1132 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1132 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2424 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2424 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2424 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2580 wrote to memory of 304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1836 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1836 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1836 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2608 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2608 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2608 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe

"C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1616

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp

Files

memory/2372-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

memory/2372-1-0x0000000000820000-0x0000000000C52000-memory.dmp

memory/2372-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6B7.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar75A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7349065d221e74385374e4883862d9e0
SHA1 dbbaa297341f67f649e2d46271524aaeac21602a
SHA256 429738f82fd6755da283ab9f445a7043b03ec572198dd9641de3b0af4fc93a47
SHA512 71b68ba94f88e214862c5bf49c7ed9e4a9a315f8fc606af0525dc2323efec3c977cac0992dbc14a37b9f3c65044feb3fff9b51663fc6bbc1d67d7f53cc22a09e

memory/2372-69-0x0000000073FB0000-0x000000007469E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:01

Reported

2024-06-20 04:07

Platform

win10v2004-20240611-en

Max time kernel

385s

Max time network

278s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe"

Signatures

Cerber

ransomware cerber
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP N/A N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP N/A N/A
File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP N/A N/A
File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA N/A N/A
File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR N/A N/A
File opened for modification C:\Windows\system32\wbem\repository N/A N/A
File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 60 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 60 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4908 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4908 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3128 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3128 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 5044 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 5044 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 5044 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3492 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3492 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1064 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1064 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1480 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1480 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2588 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4916 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4916 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 3712 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3712 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3712 wrote to memory of 3552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3732 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3732 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe

"C:\Users\Admin\AppData\Local\Temp\PhantomSolutions.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv pj8SAT2SCUicCRR6TV5inw.0.2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im FolderChangesView.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HttpDebuggerSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HttpDebuggerSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop npf >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop npf

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq charles*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ida*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerProSdk >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerProSdk

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker3 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker3

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker2 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker2

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop KProcessHacker1 >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop KProcessHacker1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop wireshark >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop wireshark

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c sc stop HTTPDebuggerPro >nul 2>&1

C:\Windows\SysWOW64\sc.exe

sc stop HTTPDebuggerPro

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /FI "IMAGENAME eq die*" /IM * /F /T

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im HTTPDebugger.exe >nul 2>&1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im HTTPDebugger.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c taskkill /f /im FolderChangesView.exe >nul 2>&1

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/2588-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

memory/2588-1-0x0000000000D90000-0x00000000011C2000-memory.dmp

memory/2588-2-0x0000000005A90000-0x0000000005AA2000-memory.dmp

memory/2588-3-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/2588-4-0x0000000006550000-0x000000000658C000-memory.dmp

memory/2588-5-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

memory/2588-6-0x0000000074DA0000-0x0000000075550000-memory.dmp

memory/2588-7-0x0000000006C00000-0x0000000006C66000-memory.dmp

C:\PhantomSolutions\AppleCleaner.exe

MD5 f96eb2236970fb3ea97101b923af4228
SHA1 e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA256 46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA512 2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

memory/2476-11-0x00007FF70E230000-0x00007FF70EBD2000-memory.dmp

memory/2476-13-0x00007FF70E230000-0x00007FF70EBD2000-memory.dmp

memory/2476-14-0x00007FF70E230000-0x00007FF70EBD2000-memory.dmp

memory/2476-15-0x00007FF70E230000-0x00007FF70EBD2000-memory.dmp

memory/2476-16-0x00007FF70E230000-0x00007FF70EBD2000-memory.dmp

memory/2476-18-0x00007FF70E230000-0x00007FF70EBD2000-memory.dmp

C:\PhantomSolutions\zhjers.exe

MD5 f17ecf761e70feb98c7f628857eedfe7
SHA1 b2c1263c641bdaee8266a05a0afbb455e29e240d
SHA256 311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf
SHA512 e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

C:\PhantomSolutions\amifldrv64.sys

MD5 f22740ba54a400fd2be7690bb204aa08
SHA1 5812387783d61c6ab5702213bb968590a18065e3
SHA256 65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512 ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

memory/2588-54-0x0000000074DA0000-0x0000000075550000-memory.dmp