Malware Analysis Report

2025-01-02 15:00

Sample ID 241123-pa55aa1kbp
Target Perm Loader.exe
SHA256 b65f83bc7d778dc7b4498f1dae68b77855be8a6be9aa4a5e483209396f20a8ca
Tags
cerber ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b65f83bc7d778dc7b4498f1dae68b77855be8a6be9aa4a5e483209396f20a8ca

Threat Level: Known bad

The file Perm Loader.exe was found to be: Known bad.

Malicious Activity Summary

cerber ransomware

Cerber

Cerber family

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-23 12:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 12:08

Reported

2024-11-23 12:09

Platform

win10ltsc2021-20241023-en

Max time kernel

21s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe"

Signatures

Cerber

ransomware cerber
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Windows\System32\AMIDEWINx64.EXE N/A

Cerber family

cerber

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\AMIDEWINx64.EXE C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe N/A
File created C:\Windows\System32\amifldrv64.sys C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "245" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 312 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1376 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 364 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 364 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 3328 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3328 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3236 wrote to memory of 3860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2156 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 2872 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2872 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2828 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 4172 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4172 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 3840 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3840 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 1764 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1764 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2576 wrote to memory of 1408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1604 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2112 wrote to memory of 4208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 2340 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2340 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 2944 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2944 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 312 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe
PID 312 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumperClient.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessHacker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiddlerEverywhere.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im de4dot.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Cheat Engine.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTP Debugger Windows Service (32 bit).exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x64dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x32dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SS Z1GSK2E3QL

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /SS Z1GSK2E3QL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumperClient.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BV " "

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /BV " "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessHacker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BS 9IWEVAKDGHWESS

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /BS 9IWEVAKDGHWESS

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq64.exe

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CS C3WTED02WP

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /CS C3WTED02WP

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiddlerEverywhere.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1

C:\Windows\System32\AMIDEWINx64.EXE

C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."

C:\Windows\system32\taskkill.exe

taskkill /f /im de4dot.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Cheat Engine.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im MugenJinFuu-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-x86_64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im cheatengine-i386.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTP Debugger Windows Service (32 bit).exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x64dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im x32dbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Ida64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im OllyDbg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Dbg32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Taskmgr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumperClient.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im KsDumper.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerUI.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im HTTPDebuggerSvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessHacker.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im idaq64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im FiddlerEverywhere.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos64.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im Xenos32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown /r /t 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1

C:\Windows\system32\taskkill.exe

taskkill /f /im de4dot.exe

C:\Windows\system32\shutdown.exe

shutdown /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39f3055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Windows\System32\AMIDEWINx64.EXE

MD5 9adfcdac59db3286690c7eede8da2528
SHA1 0b54d251438a634bd13b49a1f20587cf03d4598d
SHA256 13037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e
SHA512 fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc

C:\Windows\System32\amifldrv64.sys

MD5 f22740ba54a400fd2be7690bb204aa08
SHA1 5812387783d61c6ab5702213bb968590a18065e3
SHA256 65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512 ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500