Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 05:37

General

  • Target

    WL1FIKZrIDoFw7XzP7SHK27KGML6JFbu.exe

  • Size

    9.5MB

  • MD5

    e6d512680551588927a4be527845d488

  • SHA1

    1d4c4fe2f8804313e0db9b58bc58414a5117f688

  • SHA256

    9fb32a17637b8291d56b2dfad58469416f146235a37a750587eb1a993063c19d

  • SHA512

    f915a973ce546e7d3a3e61e658f478e8c1d9c2d93377f984efc0dede796762fd923866d62bbf67e48aaa92eafb71555e75c6762406765bfd62ba00e1d342df17

  • SSDEEP

    196608:TnYm6jQF25UTqU6PbYi7SIySIZc6RfS2oZ6i8TBP4J5:TnPeU6r7SrZc6R62sL8d4

Score
8/10

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
  • Launches sc.exe 64 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WL1FIKZrIDoFw7XzP7SHK27KGML6JFbu.exe
    "C:\Users\Admin\AppData\Local\Temp\WL1FIKZrIDoFw7XzP7SHK27KGML6JFbu.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
      2⤵
        PID:2624
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2640
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1836
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2656
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1440
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1964
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1956
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\system32\taskkill.exe
          taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1208
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:468
        • C:\Windows\system32\sc.exe
          sc stop HTTPDebuggerPro
          3⤵
          • Launches sc.exe
          PID:2356
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\system32\sc.exe
          sc stop HTTPDebuggerProSdk
          3⤵
          • Launches sc.exe
          PID:484
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
        2⤵
          PID:1652
          • C:\Windows\system32\sc.exe
            sc stop KProcessHacker3
            3⤵
            • Launches sc.exe
            PID:284
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
          2⤵
            PID:268
            • C:\Windows\system32\sc.exe
              sc stop KProcessHacker2
              3⤵
              • Launches sc.exe
              PID:1592
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
            2⤵
              PID:3024
              • C:\Windows\system32\sc.exe
                sc stop KProcessHacker1
                3⤵
                • Launches sc.exe
                PID:1756
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
              2⤵
                PID:2252
                • C:\Windows\system32\sc.exe
                  sc stop wireshark
                  3⤵
                    PID:1516
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                  2⤵
                    PID:2316
                    • C:\Windows\system32\sc.exe
                      sc stop npf
                      3⤵
                      • Launches sc.exe
                      PID:2268
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                    2⤵
                      PID:2652
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                      2⤵
                        PID:2856
                        • C:\Windows\system32\taskkill.exe
                          taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2232
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                        2⤵
                          PID:1104
                          • C:\Windows\system32\taskkill.exe
                            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                            3⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1672
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                          2⤵
                            PID:1772
                            • C:\Windows\system32\taskkill.exe
                              taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2924
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                            2⤵
                              PID:448
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1748
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                              2⤵
                                PID:2320
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                  3⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2340
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                2⤵
                                  PID:1524
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1660
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                  2⤵
                                    PID:940
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                      3⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2260
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                    2⤵
                                      PID:832
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                        3⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:920
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                      2⤵
                                        PID:1364
                                        • C:\Windows\system32\sc.exe
                                          sc stop HTTPDebuggerPro
                                          3⤵
                                          • Launches sc.exe
                                          PID:1716
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                        2⤵
                                          PID:1800
                                          • C:\Windows\system32\sc.exe
                                            sc stop HTTPDebuggerProSdk
                                            3⤵
                                            • Launches sc.exe
                                            PID:1752
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                          2⤵
                                            PID:2368
                                            • C:\Windows\system32\sc.exe
                                              sc stop KProcessHacker3
                                              3⤵
                                              • Launches sc.exe
                                              PID:552
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c cls
                                            2⤵
                                              PID:1680
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                              2⤵
                                                PID:2892
                                                • C:\Windows\system32\sc.exe
                                                  sc stop KProcessHacker2
                                                  3⤵
                                                  • Launches sc.exe
                                                  PID:2896
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                2⤵
                                                  PID:2872
                                                  • C:\Windows\system32\sc.exe
                                                    sc stop KProcessHacker1
                                                    3⤵
                                                      PID:1732
                                                  • C:\Windows\system32\WerFault.exe
                                                    C:\Windows\system32\WerFault.exe -u -p 1484 -s 1100
                                                    2⤵
                                                      PID:1272
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                      2⤵
                                                        PID:2132
                                                        • C:\Windows\system32\sc.exe
                                                          sc stop wireshark
                                                          3⤵
                                                          • Launches sc.exe
                                                          PID:1544
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                        2⤵
                                                          PID:2932
                                                          • C:\Windows\system32\sc.exe
                                                            sc stop npf
                                                            3⤵
                                                            • Launches sc.exe
                                                            PID:1708
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                          2⤵
                                                            PID:1992
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                            2⤵
                                                              PID:2904
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                3⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2740
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                              2⤵
                                                                PID:844
                                                                • C:\Windows\system32\taskkill.exe
                                                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                  3⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2476
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                2⤵
                                                                  PID:1972
                                                                  • C:\Windows\system32\taskkill.exe
                                                                    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                    3⤵
                                                                    • Kills process with taskkill
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2492
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                  2⤵
                                                                    PID:2532
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                      3⤵
                                                                      • Kills process with taskkill
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2712
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                    2⤵
                                                                      PID:3040
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                        3⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2520
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                      2⤵
                                                                        PID:2772
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                          3⤵
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2756
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                        2⤵
                                                                          PID:1836
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                            3⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1860
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                          2⤵
                                                                            PID:2776
                                                                            • C:\Windows\system32\taskkill.exe
                                                                              taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                              3⤵
                                                                              • Kills process with taskkill
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2780
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                            2⤵
                                                                              PID:1440
                                                                              • C:\Windows\system32\sc.exe
                                                                                sc stop HTTPDebuggerPro
                                                                                3⤵
                                                                                • Launches sc.exe
                                                                                PID:2020
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                              2⤵
                                                                                PID:1936
                                                                                • C:\Windows\system32\sc.exe
                                                                                  sc stop HTTPDebuggerProSdk
                                                                                  3⤵
                                                                                  • Launches sc.exe
                                                                                  PID:1804
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                2⤵
                                                                                  PID:2028
                                                                                  • C:\Windows\system32\sc.exe
                                                                                    sc stop KProcessHacker3
                                                                                    3⤵
                                                                                    • Launches sc.exe
                                                                                    PID:1948
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                  2⤵
                                                                                    PID:2444
                                                                                    • C:\Windows\system32\sc.exe
                                                                                      sc stop KProcessHacker2
                                                                                      3⤵
                                                                                      • Launches sc.exe
                                                                                      PID:2396
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                    2⤵
                                                                                      PID:2360
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        sc stop KProcessHacker1
                                                                                        3⤵
                                                                                        • Launches sc.exe
                                                                                        PID:1956
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                                                      2⤵
                                                                                        PID:2156
                                                                                        • C:\Windows\system32\sc.exe
                                                                                          sc stop wireshark
                                                                                          3⤵
                                                                                          • Launches sc.exe
                                                                                          PID:2160
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                                                        2⤵
                                                                                          PID:2024
                                                                                          • C:\Windows\system32\sc.exe
                                                                                            sc stop npf
                                                                                            3⤵
                                                                                            • Launches sc.exe
                                                                                            PID:1208
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                                                          2⤵
                                                                                            PID:316
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                                                            2⤵
                                                                                              PID:1228
                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                3⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2928
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                                                              2⤵
                                                                                                PID:1584
                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                  3⤵
                                                                                                  • Kills process with taskkill
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2380
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                                                2⤵
                                                                                                  PID:484
                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                                                    3⤵
                                                                                                    • Kills process with taskkill
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:1060
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                                                  2⤵
                                                                                                    PID:1596
                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                      taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                                                      3⤵
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:1592
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                                                    2⤵
                                                                                                      PID:2236
                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                        taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                        3⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1516
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                                                      2⤵
                                                                                                        PID:2224
                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                          taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                                                          3⤵
                                                                                                          • Kills process with taskkill
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2860
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                                                        2⤵
                                                                                                          PID:2248
                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                            3⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:1316
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                                                          2⤵
                                                                                                            PID:324
                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                              taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                              3⤵
                                                                                                              • Kills process with taskkill
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2844
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                                                            2⤵
                                                                                                              PID:904
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                sc stop HTTPDebuggerPro
                                                                                                                3⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:1844
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                                                              2⤵
                                                                                                                PID:2924
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  sc stop HTTPDebuggerProSdk
                                                                                                                  3⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:1772
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                                                2⤵
                                                                                                                  PID:1508
                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                    sc stop KProcessHacker3
                                                                                                                    3⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:1132
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                                                  2⤵
                                                                                                                    PID:1748
                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                      sc stop KProcessHacker2
                                                                                                                      3⤵
                                                                                                                        PID:448
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                                                      2⤵
                                                                                                                        PID:668
                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                          sc stop KProcessHacker1
                                                                                                                          3⤵
                                                                                                                          • Launches sc.exe
                                                                                                                          PID:1664
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                                                                                        2⤵
                                                                                                                          PID:1156
                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                            sc stop wireshark
                                                                                                                            3⤵
                                                                                                                            • Launches sc.exe
                                                                                                                            PID:1940
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                                                                                          2⤵
                                                                                                                            PID:1244
                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                              sc stop npf
                                                                                                                              3⤵
                                                                                                                              • Launches sc.exe
                                                                                                                              PID:1764
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                                                                                            2⤵
                                                                                                                              PID:1916
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                                                                                              2⤵
                                                                                                                                PID:1852
                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                                                  3⤵
                                                                                                                                  • Kills process with taskkill
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:1300
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                                                                                                2⤵
                                                                                                                                  PID:940
                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                                                    3⤵
                                                                                                                                    • Kills process with taskkill
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:3060
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                                                                                  2⤵
                                                                                                                                    PID:832
                                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                                      taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                                                                                      3⤵
                                                                                                                                      • Kills process with taskkill
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      PID:2868
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                                                                                    2⤵
                                                                                                                                      PID:2204
                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                        taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                                                                                        3⤵
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        PID:1960
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                                                                                      2⤵
                                                                                                                                        PID:1560
                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                                                          3⤵
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:1252
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                                                                                        2⤵
                                                                                                                                          PID:552
                                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                                            taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                                                                                            3⤵
                                                                                                                                            • Kills process with taskkill
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:1680
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                                                                                          2⤵
                                                                                                                                            PID:2892
                                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                                                              3⤵
                                                                                                                                              • Kills process with taskkill
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              PID:1620
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                                                                                            2⤵
                                                                                                                                              PID:2132
                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                                                                3⤵
                                                                                                                                                • Kills process with taskkill
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                PID:1272
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                                                                                              2⤵
                                                                                                                                                PID:2952
                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                  sc stop HTTPDebuggerPro
                                                                                                                                                  3⤵
                                                                                                                                                  • Launches sc.exe
                                                                                                                                                  PID:1740
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                                                                                                2⤵
                                                                                                                                                  PID:2560
                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                    sc stop HTTPDebuggerProSdk
                                                                                                                                                    3⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:2096
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                                                                                  2⤵
                                                                                                                                                    PID:2988
                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                      sc stop KProcessHacker3
                                                                                                                                                      3⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:2604
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2960
                                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                                        sc stop KProcessHacker2
                                                                                                                                                        3⤵
                                                                                                                                                        • Launches sc.exe
                                                                                                                                                        PID:2832
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2820
                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                          sc stop KProcessHacker1
                                                                                                                                                          3⤵
                                                                                                                                                          • Launches sc.exe
                                                                                                                                                          PID:2480
                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2500
                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                            sc stop wireshark
                                                                                                                                                            3⤵
                                                                                                                                                            • Launches sc.exe
                                                                                                                                                            PID:2556
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1972
                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                              sc stop npf
                                                                                                                                                              3⤵
                                                                                                                                                              • Launches sc.exe
                                                                                                                                                              PID:2828
                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                                                                                                                            2⤵
                                                                                                                                                              PID:2620
                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2496
                                                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                                                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                  PID:2540
                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2660
                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:2728
                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:2772
                                                                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                                                                      taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      PID:2816
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:2900
                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                        taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                                                                                                                        3⤵
                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                        PID:2032
                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1820
                                                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                                                          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                                                                                          3⤵
                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                          PID:2020
                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:1996
                                                                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                                                                            taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                            PID:1948
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:2444
                                                                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                                                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                              PID:1312
                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2160
                                                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                PID:2156
                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:556
                                                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                                                  sc stop HTTPDebuggerPro
                                                                                                                                                                                  3⤵
                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                  PID:1788
                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:332
                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                    sc stop HTTPDebuggerProSdk
                                                                                                                                                                                    3⤵
                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                    PID:536
                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:2356
                                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                                      sc stop KProcessHacker3
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                      PID:1552
                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:1068
                                                                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                                                                        sc stop KProcessHacker2
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                        PID:1644
                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:2392
                                                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                                                          sc stop KProcessHacker1
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                          PID:1600
                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:2112
                                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                                            sc stop wireshark
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                            PID:1676
                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:484
                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                              sc stop npf
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                              PID:608
                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:1592
                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:2252
                                                                                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                  PID:2308
                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:1388
                                                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                    PID:2228
                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:584
                                                                                                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                      taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      PID:2860
                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2856
                                                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                        taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:828
                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:1472
                                                                                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1672
                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:2300
                                                                                                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                            taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:2280
                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1640
                                                                                                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:448
                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:668
                                                                                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:1880
                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:1244
                                                                                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                  sc stop HTTPDebuggerPro
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                  PID:1920
                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:2260
                                                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                    sc stop HTTPDebuggerProSdk
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                    PID:1924
                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:1852
                                                                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                      sc stop KProcessHacker3
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                      PID:2448
                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:980
                                                                                                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                        sc stop KProcessHacker2
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                        PID:3000
                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:2864
                                                                                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                          sc stop KProcessHacker1
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                          PID:1364
                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:2716
                                                                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                            sc stop wireshark
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                            PID:2836
                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:2276
                                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                              sc stop npf
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                              PID:1980
                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:2792
                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:2508
                                                                                                                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:1668
                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:1812
                                                                                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                    PID:1680
                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:1620
                                                                                                                                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                      taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                      PID:2064
                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:1532
                                                                                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                        taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:1792
                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:2096
                                                                                                                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                          PID:2560
                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:2256
                                                                                                                                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                            taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                            PID:2832
                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:844
                                                                                                                                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                              taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                              PID:2484
                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:2828
                                                                                                                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                PID:2592
                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:1984
                                                                                                                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                  sc stop HTTPDebuggerPro
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                  PID:2640
                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:2540
                                                                                                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                    sc stop HTTPDebuggerProSdk
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                                                                                                    PID:2496
                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:2704
                                                                                                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                      sc stop KProcessHacker3
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                      PID:2728
                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:2800
                                                                                                                                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                        sc stop KProcessHacker2
                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                        PID:1836
                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:1860
                                                                                                                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                          sc stop KProcessHacker1
                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                          PID:2816
                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:2656
                                                                                                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                            sc stop wireshark
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                            PID:2908
                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:2032
                                                                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                              sc stop npf
                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                              PID:1952
                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:1964
                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:2020
                                                                                                                                                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                  taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                  PID:1776
                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:2200
                                                                                                                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                    PID:2168
                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:2432
                                                                                                                                                                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                      taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                      PID:2024
                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:316
                                                                                                                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                        taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                        PID:468
                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:1552
                                                                                                                                                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                          taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:2356
                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:1584
                                                                                                                                                                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                              taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                              PID:320
                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:884
                                                                                                                                                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                  PID:1548
                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:2308
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                    PID:2252
                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:1388
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                      sc stop HTTPDebuggerPro
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                                      PID:1480
                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:2224
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                        sc stop HTTPDebuggerProSdk
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                                        PID:2296
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:648
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                          sc stop KProcessHacker3
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                                          PID:2248
                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:1316
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                            sc stop KProcessHacker2
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                                            PID:2176
                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:324
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                              sc stop KProcessHacker1
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                                                                                                              PID:1104
                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>nul
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:2924
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                                sc stop wireshark
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                • Launches sc.exe
                                                                                                                                                                                                                                                                                                PID:2284
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>nul
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:2424
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                                  sc stop npf
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                  • Launches sc.exe
                                                                                                                                                                                                                                                                                                  PID:1772
                                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c SystemSettingsAdminFlows.exe SetInternetTime 1 >nul 2>nul
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:2304
                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:2352
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                      • Kills process with taskkill
                                                                                                                                                                                                                                                                                                      PID:1084
                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:2320
                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                        • Kills process with taskkill
                                                                                                                                                                                                                                                                                                        PID:1880
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:1244
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                          taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                          • Kills process with taskkill
                                                                                                                                                                                                                                                                                                          PID:2452
                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                          PID:2344
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                            taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                                                                                                            PID:604
                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                            PID:1364
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                              taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                              • Kills process with taskkill
                                                                                                                                                                                                                                                                                                              PID:2864
                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                              PID:1980
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                                taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                PID:2824
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:2896
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                  PID:352
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>nul
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                  PID:1576
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                                                                                                                                                                                                                    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                    • Kills process with taskkill
                                                                                                                                                                                                                                                                                                                    PID:1688
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>nul
                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                    PID:2932
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                                                      sc stop HTTPDebuggerPro
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                      • Launches sc.exe
                                                                                                                                                                                                                                                                                                                      PID:2892
                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>nul
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:1620
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                                                        sc stop HTTPDebuggerProSdk
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • Launches sc.exe
                                                                                                                                                                                                                                                                                                                        PID:2188
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>nul
                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                        PID:1992
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                                                          sc stop KProcessHacker3
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                                                                                                                                                                          PID:2132
                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>nul
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:1532
                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                                                            sc stop KProcessHacker2
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                            • Launches sc.exe
                                                                                                                                                                                                                                                                                                                            PID:2760
                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>nul
                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                            PID:2904
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                                                                                                                                              sc stop KProcessHacker1
                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                PID:2488

                                                                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                          • memory/1484-0-0x000000013F289000-0x000000013FA78000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            7.9MB

                                                                                                                                                                                                                                                                                                                          • memory/1484-18-0x000000013F190000-0x0000000140401000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            18.4MB

                                                                                                                                                                                                                                                                                                                          • memory/1484-16-0x000000013F190000-0x0000000140401000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            18.4MB

                                                                                                                                                                                                                                                                                                                          • memory/1484-11-0x000000013F190000-0x0000000140401000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            18.4MB

                                                                                                                                                                                                                                                                                                                          • memory/1484-10-0x0000000077610000-0x0000000077612000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-8-0x0000000077610000-0x0000000077612000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-6-0x0000000077610000-0x0000000077612000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-5-0x00000000775F0000-0x00000000775F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-3-0x00000000775F0000-0x00000000775F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-1-0x00000000775F0000-0x00000000775F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-35-0x0000000000150000-0x0000000000151000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-42-0x0000000000150000-0x0000000000151000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-57-0x0000000000150000-0x0000000000151000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                          • memory/1484-121-0x000000013F190000-0x0000000140401000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            18.4MB

                                                                                                                                                                                                                                                                                                                          • memory/1484-120-0x000000013F289000-0x000000013FA78000-memory.dmp

                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                            7.9MB