4a3d7c6b66ee0e818f5940aa41dd5a778e4ad8edc66cfe892996f6c4da417b1b

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe
Size

4.3MB
MD5

69a17741bd43a2004532c6ff52f42cf7
SHA1

4a7ea7db2595f83f0aceb87b687c16f369c4ef7f
SHA256

4a3d7c6b66ee0e818f5940aa41dd5a778e4ad8edc66cfe892996f6c4da417b1b
SHA512

cf9f5a03716ae9a70f8603cd5a3cdff238ec1778c2902f22c10ec874bd202c03e1e6c75bc564544402eda738a0b4bbf1fba5e9bfc162698a4df65215913a86b5
SSDEEP

98304:kaDc4W94xIK+wESdYgpIZb/mDkIPktyFF1gK59Pksq47QO6f40JTl:kaDS94xIFwE3q4b/mAJ4FFqoasqE0Vl

Score

9^/10

discovery evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2412-0-0x000000013F9E0000-0x00000001403FA000-memory.dmp	themida
behavioral1/memory/2412-2-0x000000013F9E0000-0x00000001403FA000-memory.dmp	themida
behavioral1/memory/2412-3-0x000000013F9E0000-0x00000001403FA000-memory.dmp	themida
behavioral1/memory/2412-4-0x000000013F9E0000-0x00000001403FA000-memory.dmp	themida
behavioral1/memory/2412-5-0x000000013F9E0000-0x00000001403FA000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2900	Process not Found
2728	Process not Found
1528	Process not Found
2100	Process not Found
2056	sc.exe
1328	Process not Found
2656	Process not Found
396	sc.exe
804	sc.exe
1252	Process not Found
2552	Process not Found
2940	Process not Found
2240	Process not Found
1532	sc.exe
1320	sc.exe
3064	Process not Found
2856	Process not Found
2364	Process not Found
2684	Process not Found
3032	sc.exe
2504	sc.exe
2076	sc.exe
2604	sc.exe
2828	Process not Found
2668	Process not Found
2632	Process not Found
844	Process not Found
2376	sc.exe
2136	Process not Found
1640	Process not Found
2452	Process not Found
2716	Process not Found
2836	sc.exe
2852	Process not Found
640	Process not Found
2228	sc.exe
3064	Process not Found
2504	Process not Found
2120	sc.exe
1368	Process not Found
2656	Process not Found
1252	sc.exe
2768	Process not Found
2192	Process not Found
2976	Process not Found
3016	sc.exe
2656	Process not Found
2148	Process not Found
1968	Process not Found
2888	Process not Found
2148	Process not Found
1284	sc.exe
2620	Process not Found
828	Process not Found
1828	Process not Found
1056	sc.exe
984	Process not Found
2936	Process not Found
984	Process not Found
2288	sc.exe
2188	Process not Found
736	Process not Found
2528	Process not Found
1964	Process not Found

System Time Discovery 1 TTPs 64 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
972	cmd.exe
2104	cmd.exe
1548	cmd.exe
2528	Process not Found
1176	Process not Found
2160	Process not Found
2632	Process not Found
1684	cmd.exe
1720	Process not Found
2004	Process not Found
2392	cmd.exe
1964	cmd.exe
2524	Process not Found
1960	Process not Found
1512	Process not Found
1324	Process not Found
2848	Process not Found
1404	cmd.exe
2892	cmd.exe
2780	Process not Found
1644	Process not Found
1992	Process not Found
2892	cmd.exe
1784	cmd.exe
2808	Process not Found
1548	cmd.exe
1340	cmd.exe
1512	Process not Found
1848	Process not Found
2872	cmd.exe
1512	cmd.exe
2512	Process not Found
680	Process not Found
380	Process not Found
2148	Process not Found
2588	Process not Found
2296	cmd.exe
2324	Process not Found
2928	Process not Found
2288	cmd.exe
1948	Process not Found
1584	Process not Found
1516	Process not Found
1080	cmd.exe
1752	cmd.exe
2652	cmd.exe
1220	Process not Found
1220	Process not Found
1968	Process not Found
2964	Process not Found
2936	cmd.exe
2544	cmd.exe
1328	cmd.exe
2316	cmd.exe
1696	cmd.exe
2192	Process not Found
1620	Process not Found
2792	Process not Found
3068	Process not Found
1768	Process not Found
2924	Process not Found
3056	cmd.exe
1512	cmd.exe
3052	Process not Found

Kills process with taskkill 64 IoCs

evasion

pid	Process
2292	taskkill.exe
1300	Process not Found
1760	taskkill.exe
2508	taskkill.exe
1056	taskkill.exe
1340	taskkill.exe
736	taskkill.exe
1944	Process not Found
1328	Process not Found
2848	Process not Found
1060	Process not Found
2828	taskkill.exe
1128	Process not Found
2856	Process not Found
2536	Process not Found
1032	Process not Found
2996	taskkill.exe
3000	taskkill.exe
2720	taskkill.exe
396	taskkill.exe
1536	taskkill.exe
1516	Process not Found
2092	Process not Found
1592	Process not Found
1084	Process not Found
2540	taskkill.exe
2296	Process not Found
2644	Process not Found
3000	taskkill.exe
2572	taskkill.exe
836	taskkill.exe
2336	taskkill.exe
3068	Process not Found
3028	taskkill.exe
2572	taskkill.exe
2796	taskkill.exe
1768	Process not Found
1148	Process not Found
1320	taskkill.exe
1784	taskkill.exe
2716	taskkill.exe
2440	Process not Found
2788	Process not Found
1648	Process not Found
1176	Process not Found
1636	Process not Found
2304	Process not Found
2792	Process not Found
2436	Process not Found
1368	Process not Found
2700	Process not Found
1816	Process not Found
2356	Process not Found
2224	taskkill.exe
2708	Process not Found
1860	Process not Found
1432	Process not Found
2016	Process not Found
1928	Process not Found
1864	Process not Found
292	Process not Found
2740	taskkill.exe
764	taskkill.exe
3068	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2288	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2288	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2288	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	32
PID 2412 wrote to memory of 2296	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	34
PID 2412 wrote to memory of 2296	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	34
PID 2412 wrote to memory of 2296	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	34
PID 2296 wrote to memory of 2316	2296	cmd.exe	36
PID 2296 wrote to memory of 2316	2296	cmd.exe	36
PID 2296 wrote to memory of 2316	2296	cmd.exe	36
PID 2412 wrote to memory of 2680	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	38
PID 2412 wrote to memory of 2680	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	38
PID 2412 wrote to memory of 2680	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	38
PID 2680 wrote to memory of 2816	2680	cmd.exe	40
PID 2680 wrote to memory of 2816	2680	cmd.exe	40
PID 2680 wrote to memory of 2816	2680	cmd.exe	40
PID 2412 wrote to memory of 2852	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	41
PID 2412 wrote to memory of 2852	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	41
PID 2412 wrote to memory of 2852	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	41
PID 2852 wrote to memory of 3000	2852	cmd.exe	43
PID 2852 wrote to memory of 3000	2852	cmd.exe	43
PID 2852 wrote to memory of 3000	2852	cmd.exe	43
PID 2412 wrote to memory of 2824	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	44
PID 2412 wrote to memory of 2824	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	44
PID 2412 wrote to memory of 2824	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	44
PID 2824 wrote to memory of 2996	2824	cmd.exe	46
PID 2824 wrote to memory of 2996	2824	cmd.exe	46
PID 2824 wrote to memory of 2996	2824	cmd.exe	46
PID 2412 wrote to memory of 2916	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	47
PID 2412 wrote to memory of 2916	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	47
PID 2412 wrote to memory of 2916	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	47
PID 2916 wrote to memory of 2936	2916	cmd.exe	49
PID 2916 wrote to memory of 2936	2916	cmd.exe	49
PID 2916 wrote to memory of 2936	2916	cmd.exe	49
PID 2412 wrote to memory of 2708	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	50
PID 2412 wrote to memory of 2708	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	50
PID 2412 wrote to memory of 2708	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	50
PID 2708 wrote to memory of 2856	2708	cmd.exe	52
PID 2708 wrote to memory of 2856	2708	cmd.exe	52
PID 2708 wrote to memory of 2856	2708	cmd.exe	52
PID 2412 wrote to memory of 2548	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	53
PID 2412 wrote to memory of 2548	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	53
PID 2412 wrote to memory of 2548	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	53
PID 2548 wrote to memory of 2596	2548	cmd.exe	55
PID 2548 wrote to memory of 2596	2548	cmd.exe	55
PID 2548 wrote to memory of 2596	2548	cmd.exe	55
PID 2412 wrote to memory of 2224	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	56
PID 2412 wrote to memory of 2224	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	56
PID 2412 wrote to memory of 2224	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	56
PID 2224 wrote to memory of 2196	2224	cmd.exe	58
PID 2224 wrote to memory of 2196	2224	cmd.exe	58
PID 2224 wrote to memory of 2196	2224	cmd.exe	58
PID 2412 wrote to memory of 2360	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	59
PID 2412 wrote to memory of 2360	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	59
PID 2412 wrote to memory of 2360	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	59
PID 2360 wrote to memory of 2776	2360	cmd.exe	61
PID 2360 wrote to memory of 2776	2360	cmd.exe	61
PID 2360 wrote to memory of 2776	2360	cmd.exe	61
PID 2412 wrote to memory of 2784	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	62
PID 2412 wrote to memory of 2784	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	62
PID 2412 wrote to memory of 2784	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	62
PID 2784 wrote to memory of 2780	2784	cmd.exe	64
PID 2784 wrote to memory of 2780	2784	cmd.exe	64
PID 2784 wrote to memory of 2780	2784	cmd.exe	64
PID 2412 wrote to memory of 1916	2412	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	65

C:\Users\Admin\AppData\Local\Temp\69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1916
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2008
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2836
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2716
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:960
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2744
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1060
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:396
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2892
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2076
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:380
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2120
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:3032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2376
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1780
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1856
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1284
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2968
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1140
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2264
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:3044
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:348
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:3060
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2460
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1148
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:984
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1668
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2468
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:972
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1612
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2288
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2316
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3000
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2996
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2936
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2856
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2588
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2104
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2224
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1596
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2724
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1940
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1592
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:376
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1956
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:960
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2872
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2924
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2628
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2004
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1480
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1632
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1752
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2376
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2252
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2220
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1748
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1252
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1560
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1508
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:880
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1316
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2320
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1612
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:476
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2296
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2796
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2536
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2936
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2604
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:832
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2212
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2580
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1684
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1084
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2772
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1620
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2592
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1080
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:376
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1948
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1072
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:568
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:684
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2056
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1892
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2504
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2144
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1780
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1296
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3052
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2968
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:552
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2264
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:2208
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1040
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1608
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2176
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2312
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2684
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:3000
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2824
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2536
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2936
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2604
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:832
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2212
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1684
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2880
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2772
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2836
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1548
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1784
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2900
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2184
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3028
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1720
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:568
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1728
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:3032
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1892
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2144
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1932
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:752
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1404
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:3004
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2372
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2460
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2468
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1056
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2324
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2288
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2316
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2700
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2852
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2812
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2996
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2644
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1572
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2652
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1532
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2560
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2588
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2748
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2104
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2788
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1860
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2356
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1228
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1216
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2888
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2900
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2924
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2628
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1440
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2960
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1244
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1696
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:948
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2500
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2068
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1076
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1764
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:624
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:684
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1544
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2504
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1752
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2308
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:752
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2984
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:344
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2372
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1148
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2060
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2660
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2808
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2684
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2860
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2568
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2544
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2552
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2608
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2540
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2232
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2584
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2936
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2580
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:976
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2588
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1940
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2880
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1336
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2356
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1228
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1196
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2076
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2972
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1776
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2336
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2004
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2492
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:380
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:948
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:888
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2944
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2120
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1076
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1512
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1144
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1252
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1508
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2368
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:772
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2060
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1792
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2140
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2848
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:2288
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2844
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2688
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2808
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2740
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2684
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2860
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2824
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:836
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2544
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2540
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2704
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1572
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2604
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2780
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2560
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2104
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1596
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1600
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2768
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2872
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2888
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2924
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2080
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:804
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2892
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2384
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1776
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:944
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2960
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1836
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1244
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:888
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2120
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:568
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1320
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2452
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2760
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:764
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1748
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2264
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1564
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1604
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1056
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2468
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:640
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2448
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2324
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2656
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2176
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2844
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2840
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2296
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:3012
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2704
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2604
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2152
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:976
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2776
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1340
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2880
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2008
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2620
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1760
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2888
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2092
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1788
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2892
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2384
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1776
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2492
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1328
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1072
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1696
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1544
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2144
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2220
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1284
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2084
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1612
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2292
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2368
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1604
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:640
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2020
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2320
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:532
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2828
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2316
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2816
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2524
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2536
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2608
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2540
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2652
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2104
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1340
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2880
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1848
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1548
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2600
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:3068
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:660
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2092
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2192
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1788
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:3016
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2892
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2336
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2952
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:380
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:944
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1828
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:568
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2376
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:764
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3024
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1756
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3004
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2264
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1560
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2472
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2332
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:972
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2460
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1700
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1972
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2676
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:1992
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2792
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2660
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2564
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2796
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2196
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2532
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2572
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2224
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2596
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1640
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2756
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2856
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2752
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2588
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1940
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2716
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:960
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2620
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2872
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:396
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2900
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:3056
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2956
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1660
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2512
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1480
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1324
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:624
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:736
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:316
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2944
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3052
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:880
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1404
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2376
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:3024
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1756
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:984
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1560
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1536
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2332
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:1056
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2300
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2720
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2832
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2828
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2848
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1856
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:836
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2996
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2572
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:376
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2604
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2000
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2756
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1724
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2588
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2516
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2880
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1216
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:1060
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1548
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:396
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1820
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:660
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1428
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2628
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2892
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2980
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2336
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2348
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1716
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3044
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1512
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1916
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1580
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1984
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2228
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2220
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1756
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:984
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1960
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2020
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2060
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2696
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2832
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2352
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2828
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2664
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2564
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2840
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2816
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2796
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2536
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2532
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2548
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2572
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2544
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2224
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2604
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1860
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2776
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:976
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1600
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2516
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1340
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1940
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2460
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2888
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:396
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3016
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2192
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:804
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2892
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2508
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3028
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1396
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2252
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2992
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:1320
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2944
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:3044
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:880
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1512
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:784
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1916
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2376
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1580
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1284
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1964
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1296
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2208
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2472
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:972
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1148
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1536
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2140
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:476
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2648
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2696
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2852
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1084
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2772
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2816
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2536
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2548
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2996
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2596
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1860
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2212
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1784
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2788
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2176
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1956
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2716
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1228
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:960
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:804
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2980
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1244
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:600
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1752
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:108
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:752
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:292
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3052
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1124
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1512
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1404
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:348
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1748
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2292
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2468
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1728
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2808
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1288
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2828
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2860
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2660
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2664
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1084
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2772
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1636
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2708
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2704
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1684
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2580
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2588
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:976
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1336
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1940
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2460
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1128
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:888
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1076
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2500
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:804
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2960
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2980
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1328
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2016
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1752
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2120
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:316
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:292
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1696
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2452
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1892
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1028
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2084
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3024
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:864
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2292
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:344
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1700
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2180
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2720
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2556
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1288
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2848
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2552
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2312
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2664
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2916
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2772
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2296
- C:\Windows\system32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2652
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2152
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2224
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:976
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1956
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2716
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:396
- C:\Windows\system32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:3016
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2628
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:660
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1228
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2160
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:804
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2512
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2508
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2432
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2980
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:600
- C:\Windows\system32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:3028
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2412-1-0x0000000077340000-0x0000000077342000-memory.dmp

Filesize
8KB

Download
memory/2412-0-0x000000013F9E0000-0x00000001403FA000-memory.dmp

Filesize
10.1MB

Download
memory/2412-2-0x000000013F9E0000-0x00000001403FA000-memory.dmp

Filesize
10.1MB

Download
memory/2412-3-0x000000013F9E0000-0x00000001403FA000-memory.dmp

Filesize
10.1MB

Download
memory/2412-4-0x000000013F9E0000-0x00000001403FA000-memory.dmp

Filesize
10.1MB

Download
memory/2412-5-0x000000013F9E0000-0x00000001403FA000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads