9d6a780c9d7d1b3d95717fda1f4b388aef2d7282884b0c84714e3755dbabb71b

Resubmissions

26/09/2022, 11:58

220926-n45j6safg8 8

26/09/2022, 11:52

220926-n13leabhaq 8

28/08/2021, 13:15

210828-154l63lwp2 10

Analysis

max time kernel
29s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/09/2022, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gerjjkrkjjk33.exe
Size

492KB
MD5

e530cbe69e8f66f8a8560ad9f31bfdf3
SHA1

f72ca49a000436158abb13902e4b5a864729723a
SHA256

9d6a780c9d7d1b3d95717fda1f4b388aef2d7282884b0c84714e3755dbabb71b
SHA512

96d75cf5556c4f0ba356edbc62f60b81ee45347bd9a73a93553eba511af62b725f31cf2df3cb5530d6e50ce344dd41a7bf9adbf377627228166e718ee46d24af
SSDEEP

12288:wvt9TGeQdLP/5JtmiEk9AWVHF8XCf8o1bm/RIy42MhmZY8OxnislXc:wvt9TGRdz/awAaa/RqCZY8OFie

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1492	sc.exe
632	sc.exe
1700	sc.exe
536	sc.exe
1184	sc.exe
996	sc.exe
1156	sc.exe
2012	sc.exe
1688	sc.exe
1712	sc.exe
964	sc.exe
1544	sc.exe
1632	sc.exe
996	sc.exe
1784	sc.exe
284	sc.exe
1184	sc.exe
1820	sc.exe
796	sc.exe
880	sc.exe
1592	sc.exe
604	sc.exe
836	sc.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1116	taskkill.exe
1544	taskkill.exe
1732	taskkill.exe
1572	taskkill.exe
1432	taskkill.exe
1836	taskkill.exe
912	taskkill.exe
1560	taskkill.exe
2040	taskkill.exe
2008	taskkill.exe
880	taskkill.exe
2040	taskkill.exe
1744	taskkill.exe
1980	taskkill.exe
1556	taskkill.exe
576	taskkill.exe
1432	taskkill.exe
1116	taskkill.exe
1696	taskkill.exe
1088	taskkill.exe
360	taskkill.exe
536	taskkill.exe
1868	taskkill.exe
952	taskkill.exe
900	taskkill.exe
1144	taskkill.exe
1704	taskkill.exe
1556	taskkill.exe
1556	taskkill.exe
1664	taskkill.exe
1272	taskkill.exe
604	taskkill.exe
604	taskkill.exe
2040	taskkill.exe
1996	taskkill.exe
1464	taskkill.exe
1748	taskkill.exe
1704	taskkill.exe
1572	taskkill.exe
1184	taskkill.exe
360	taskkill.exe
1688	taskkill.exe
1732	taskkill.exe
428	taskkill.exe
1704	taskkill.exe
700	taskkill.exe
1560	taskkill.exe
836	taskkill.exe
1572	taskkill.exe
1764	taskkill.exe
1992	taskkill.exe
1792	taskkill.exe
996	taskkill.exe
1060	taskkill.exe
1624	taskkill.exe
284	taskkill.exe
1480	taskkill.exe
584	taskkill.exe
2032	taskkill.exe
1088	taskkill.exe
584	taskkill.exe
1664	taskkill.exe
1544	taskkill.exe
1760	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	taskmgr.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1272	cmd.exe
Token: SeDebugPrivilege	1480	cmd.exe
Token: SeDebugPrivilege	928	cmd.exe
Token: SeDebugPrivilege	1664	cmd.exe
Token: SeDebugPrivilege	1224	cmd.exe
Token: SeDebugPrivilege	1784	cmd.exe
Token: SeDebugPrivilege	1792	cmd.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	1688	cmd.exe
Token: SeDebugPrivilege	700	cmd.exe
Token: SeDebugPrivilege	1928	cmd.exe
Token: SeDebugPrivilege	1972	cmd.exe
Token: SeDebugPrivilege	2040	cmd.exe
Token: SeDebugPrivilege	624	cmd.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	940	cmd.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1868	cmd.exe
Token: SeDebugPrivilege	1284	cmd.exe
Token: SeDebugPrivilege	1712	taskkill.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1284	2044	gerjjkrkjjk33.exe	27
PID 2044 wrote to memory of 1284	2044	gerjjkrkjjk33.exe	27
PID 2044 wrote to memory of 1284	2044	gerjjkrkjjk33.exe	27
PID 2044 wrote to memory of 1284	2044	gerjjkrkjjk33.exe	27
PID 1284 wrote to memory of 996	1284	cmd.exe	29
PID 1284 wrote to memory of 996	1284	cmd.exe	29
PID 1284 wrote to memory of 996	1284	cmd.exe	29
PID 1284 wrote to memory of 996	1284	cmd.exe	29
PID 2044 wrote to memory of 1752	2044	gerjjkrkjjk33.exe	31
PID 2044 wrote to memory of 1752	2044	gerjjkrkjjk33.exe	31
PID 2044 wrote to memory of 1752	2044	gerjjkrkjjk33.exe	31
PID 2044 wrote to memory of 1752	2044	gerjjkrkjjk33.exe	31
PID 1752 wrote to memory of 1440	1752	cmd.exe	32
PID 1752 wrote to memory of 1440	1752	cmd.exe	32
PID 1752 wrote to memory of 1440	1752	cmd.exe	32
PID 1752 wrote to memory of 1440	1752	cmd.exe	32
PID 2044 wrote to memory of 912	2044	gerjjkrkjjk33.exe	33
PID 2044 wrote to memory of 912	2044	gerjjkrkjjk33.exe	33
PID 2044 wrote to memory of 912	2044	gerjjkrkjjk33.exe	33
PID 2044 wrote to memory of 912	2044	gerjjkrkjjk33.exe	33
PID 912 wrote to memory of 1216	912	cmd.exe	34
PID 912 wrote to memory of 1216	912	cmd.exe	34
PID 912 wrote to memory of 1216	912	cmd.exe	34
PID 912 wrote to memory of 1216	912	cmd.exe	34
PID 2044 wrote to memory of 536	2044	gerjjkrkjjk33.exe	35
PID 2044 wrote to memory of 536	2044	gerjjkrkjjk33.exe	35
PID 2044 wrote to memory of 536	2044	gerjjkrkjjk33.exe	35
PID 2044 wrote to memory of 536	2044	gerjjkrkjjk33.exe	35
PID 536 wrote to memory of 1628	536	cmd.exe	36
PID 536 wrote to memory of 1628	536	cmd.exe	36
PID 536 wrote to memory of 1628	536	cmd.exe	36
PID 536 wrote to memory of 1628	536	cmd.exe	36
PID 2044 wrote to memory of 836	2044	gerjjkrkjjk33.exe	37
PID 2044 wrote to memory of 836	2044	gerjjkrkjjk33.exe	37
PID 2044 wrote to memory of 836	2044	gerjjkrkjjk33.exe	37
PID 2044 wrote to memory of 836	2044	gerjjkrkjjk33.exe	37
PID 836 wrote to memory of 1636	836	cmd.exe	38
PID 836 wrote to memory of 1636	836	cmd.exe	38
PID 836 wrote to memory of 1636	836	cmd.exe	38
PID 836 wrote to memory of 1636	836	cmd.exe	38
PID 2044 wrote to memory of 1740	2044	gerjjkrkjjk33.exe	39
PID 2044 wrote to memory of 1740	2044	gerjjkrkjjk33.exe	39
PID 2044 wrote to memory of 1740	2044	gerjjkrkjjk33.exe	39
PID 2044 wrote to memory of 1740	2044	gerjjkrkjjk33.exe	39
PID 1740 wrote to memory of 1944	1740	cmd.exe	40
PID 1740 wrote to memory of 1944	1740	cmd.exe	40
PID 1740 wrote to memory of 1944	1740	cmd.exe	40
PID 1740 wrote to memory of 1944	1740	cmd.exe	40
PID 2044 wrote to memory of 2012	2044	gerjjkrkjjk33.exe	41
PID 2044 wrote to memory of 2012	2044	gerjjkrkjjk33.exe	41
PID 2044 wrote to memory of 2012	2044	gerjjkrkjjk33.exe	41
PID 2044 wrote to memory of 2012	2044	gerjjkrkjjk33.exe	41
PID 2012 wrote to memory of 1272	2012	cmd.exe	42
PID 2012 wrote to memory of 1272	2012	cmd.exe	42
PID 2012 wrote to memory of 1272	2012	cmd.exe	42
PID 2012 wrote to memory of 1272	2012	cmd.exe	42
PID 2044 wrote to memory of 668	2044	gerjjkrkjjk33.exe	43
PID 2044 wrote to memory of 668	2044	gerjjkrkjjk33.exe	43
PID 2044 wrote to memory of 668	2044	gerjjkrkjjk33.exe	43
PID 2044 wrote to memory of 668	2044	gerjjkrkjjk33.exe	43
PID 668 wrote to memory of 1556	668	cmd.exe	44
PID 668 wrote to memory of 1556	668	cmd.exe	44
PID 668 wrote to memory of 1556	668	cmd.exe	44
PID 668 wrote to memory of 1556	668	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\gerjjkrkjjk33.exe
"C:\Users\Admin\AppData\Local\Temp\gerjjkrkjjk33.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    - Kills process with taskkill
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:300
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    - Kills process with taskkill
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:932
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:668
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:604
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    - Kills process with taskkill
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:996
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:632
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c IMPORTANT.html
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\IMPORTANT.html
    3⤵
    PID:1440
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1440 CREDAT:275457 /prefetch:2
      4⤵
      PID:900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    - Kills process with taskkill
    PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:956
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:836
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1628
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:268
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:468
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:856
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cmd.exe >nul 2>&1
  2⤵
  PID:512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HxD.exe >nul 2>&1
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HxD.exe
    3⤵
    PID:512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1132

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMPORTANT.html

Filesize
29KB

MD5
a76796d8774b479ebd90b6da72ff9de5

SHA1
5bd7edc7fad8378224df354796b97e95dd4d2934

SHA256
753a34901a175ec37cd8aa4d1cded11ca5711948b0d63efefab9b1385efb0850

SHA512
b546c8338b181d6a645f5c33a43758da0154f7060954c1e2691c6a427b10504ca14186d160c3ec821a89f783bd2211246c7dd0c59cb1d55d23bbbd56563f93e6

Download Submit
memory/1284-119-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download