4a3d7c6b66ee0e818f5940aa41dd5a778e4ad8edc66cfe892996f6c4da417b1b

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe
Size

4.3MB
MD5

69a17741bd43a2004532c6ff52f42cf7
SHA1

4a7ea7db2595f83f0aceb87b687c16f369c4ef7f
SHA256

4a3d7c6b66ee0e818f5940aa41dd5a778e4ad8edc66cfe892996f6c4da417b1b
SHA512

cf9f5a03716ae9a70f8603cd5a3cdff238ec1778c2902f22c10ec874bd202c03e1e6c75bc564544402eda738a0b4bbf1fba5e9bfc162698a4df65215913a86b5
SSDEEP

98304:kaDc4W94xIK+wESdYgpIZb/mDkIPktyFF1gK59Pksq47QO6f40JTl:kaDS94xIFwE3q4b/mAJ4FFqoasqE0Vl

Score

9^/10

discovery evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4072-0-0x00007FF781750000-0x00007FF78216A000-memory.dmp	themida
behavioral2/memory/4072-2-0x00007FF781750000-0x00007FF78216A000-memory.dmp	themida
behavioral2/memory/4072-3-0x00007FF781750000-0x00007FF78216A000-memory.dmp	themida
behavioral2/memory/4072-4-0x00007FF781750000-0x00007FF78216A000-memory.dmp	themida
behavioral2/memory/4072-5-0x00007FF781750000-0x00007FF78216A000-memory.dmp	themida
behavioral2/memory/4072-7-0x00007FF781750000-0x00007FF78216A000-memory.dmp	themida
behavioral2/memory/4072-8-0x00007FF781750000-0x00007FF78216A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1608	sc.exe
3300	sc.exe
1952	sc.exe
1576	Process not Found
4080	Process not Found
2056	sc.exe
3820	sc.exe
532	Process not Found
1540	Process not Found
2808	Process not Found
3284	sc.exe
1680	Process not Found
796	Process not Found
1456	sc.exe
4288	sc.exe
1844	sc.exe
3628	sc.exe
4480	sc.exe
1692	Process not Found
1852	Process not Found
4500	Process not Found
732	Process not Found
4676	Process not Found
3656	Process not Found
428	sc.exe
1252	sc.exe
1516	sc.exe
4500	sc.exe
1420	sc.exe
528	Process not Found
1072	Process not Found
2560	sc.exe
872	sc.exe
2864	sc.exe
396	sc.exe
4300	Process not Found
2384	sc.exe
1016	sc.exe
4168	Process not Found
1148	sc.exe
3216	sc.exe
4088	sc.exe
3388	sc.exe
3300	sc.exe
3284	Process not Found
728	Process not Found
3812	sc.exe
2508	sc.exe
1704	sc.exe
1576	Process not Found
2316	Process not Found
2252	sc.exe
5104	sc.exe
2208	Process not Found
3640	Process not Found
4672	Process not Found
1692	sc.exe
1372	sc.exe
4664	sc.exe
3328	Process not Found
1124	Process not Found
1072	sc.exe
2308	sc.exe
1516	sc.exe

System Time Discovery 1 TTPs 64 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2548	Process not Found
4088	Process not Found
1516	Process not Found
2192	SystemSettingsAdminFlows.exe
728	SystemSettingsAdminFlows.exe
2056	SystemSettingsAdminFlows.exe
1248	cmd.exe
964	SystemSettingsAdminFlows.exe
3588	Process not Found
3168	SystemSettingsAdminFlows.exe
3216	cmd.exe
1452	cmd.exe
3096	Process not Found
5036	Process not Found
1516	SystemSettingsAdminFlows.exe
3196	SystemSettingsAdminFlows.exe
4428	cmd.exe
4148	SystemSettingsAdminFlows.exe
4672	Process not Found
1036	cmd.exe
2740	SystemSettingsAdminFlows.exe
4328	Process not Found
4676	cmd.exe
724	Process not Found
3592	Process not Found
2968	Process not Found
2104	Process not Found
3168	SystemSettingsAdminFlows.exe
4736	SystemSettingsAdminFlows.exe
2264	cmd.exe
4916	cmd.exe
1704	SystemSettingsAdminFlows.exe
4960	SystemSettingsAdminFlows.exe
1760	SystemSettingsAdminFlows.exe
2492	cmd.exe
4944	Process not Found
3280	Process not Found
2504	Process not Found
2508	Process not Found
3100	Process not Found
5064	SystemSettingsAdminFlows.exe
620	Process not Found
4628	Process not Found
4888	SystemSettingsAdminFlows.exe
3024	cmd.exe
1704	SystemSettingsAdminFlows.exe
1148	SystemSettingsAdminFlows.exe
764	cmd.exe
2308	cmd.exe
2704	Process not Found
4244	Process not Found
2224	cmd.exe
984	SystemSettingsAdminFlows.exe
4964	Process not Found
3648	Process not Found
4676	Process not Found
1952	SystemSettingsAdminFlows.exe
4412	Process not Found
3736	Process not Found
1072	cmd.exe
396	Process not Found
4088	cmd.exe
4940	cmd.exe
3840	cmd.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2488	taskkill.exe
4924	Process not Found
1676	Process not Found
4424	taskkill.exe
1620	taskkill.exe
4708	taskkill.exe
2524	Process not Found
2780	Process not Found
2092	Process not Found
2644	taskkill.exe
4424	Process not Found
2628	Process not Found
3340	taskkill.exe
3832	taskkill.exe
532	taskkill.exe
5004	taskkill.exe
4140	taskkill.exe
1456	taskkill.exe
3656	taskkill.exe
4604	taskkill.exe
4152	Process not Found
2780	taskkill.exe
4244	taskkill.exe
1320	taskkill.exe
3424	Process not Found
964	taskkill.exe
1548	taskkill.exe
4672	taskkill.exe
3268	Process not Found
1952	taskkill.exe
3672	Process not Found
3308	Process not Found
2320	Process not Found
3924	Process not Found
2652	taskkill.exe
2532	taskkill.exe
3312	taskkill.exe
5088	taskkill.exe
3284	Process not Found
2488	Process not Found
2704	taskkill.exe
1092	Process not Found
3096	taskkill.exe
3356	Process not Found
1324	Process not Found
3172	taskkill.exe
3604	taskkill.exe
2068	Process not Found
4968	Process not Found
4404	Process not Found
3804	taskkill.exe
1268	taskkill.exe
2448	Process not Found
5088	taskkill.exe
1400	Process not Found
3284	taskkill.exe
3812	taskkill.exe
1728	taskkill.exe
4432	Process not Found
928	taskkill.exe
332	taskkill.exe
2240	Process not Found
3800	taskkill.exe
4156	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	3368	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	3340	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	3372	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	452	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	3472	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2596	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	85
PID 4072 wrote to memory of 2596	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	85
PID 2596 wrote to memory of 2192	2596	cmd.exe	88
PID 2596 wrote to memory of 2192	2596	cmd.exe	88
PID 4072 wrote to memory of 3172	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	90
PID 4072 wrote to memory of 3172	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	90
PID 3172 wrote to memory of 216	3172	cmd.exe	92
PID 3172 wrote to memory of 216	3172	cmd.exe	92
PID 4072 wrote to memory of 532	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	94
PID 4072 wrote to memory of 532	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	94
PID 532 wrote to memory of 4672	532	cmd.exe	96
PID 532 wrote to memory of 4672	532	cmd.exe	96
PID 4072 wrote to memory of 3756	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	98
PID 4072 wrote to memory of 3756	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	98
PID 3756 wrote to memory of 836	3756	cmd.exe	100
PID 3756 wrote to memory of 836	3756	cmd.exe	100
PID 4072 wrote to memory of 3312	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	101
PID 4072 wrote to memory of 3312	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	101
PID 3312 wrote to memory of 4872	3312	cmd.exe	103
PID 3312 wrote to memory of 4872	3312	cmd.exe	103
PID 4072 wrote to memory of 4600	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	104
PID 4072 wrote to memory of 4600	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	104
PID 4600 wrote to memory of 676	4600	cmd.exe	106
PID 4600 wrote to memory of 676	4600	cmd.exe	106
PID 4072 wrote to memory of 4632	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	107
PID 4072 wrote to memory of 4632	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	107
PID 4632 wrote to memory of 3504	4632	cmd.exe	109
PID 4632 wrote to memory of 3504	4632	cmd.exe	109
PID 4072 wrote to memory of 4104	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	110
PID 4072 wrote to memory of 4104	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	110
PID 4104 wrote to memory of 4120	4104	cmd.exe	112
PID 4104 wrote to memory of 4120	4104	cmd.exe	112
PID 4072 wrote to memory of 2724	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	113
PID 4072 wrote to memory of 2724	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	113
PID 2724 wrote to memory of 3800	2724	cmd.exe	115
PID 2724 wrote to memory of 3800	2724	cmd.exe	115
PID 4072 wrote to memory of 2536	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	116
PID 4072 wrote to memory of 2536	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	116
PID 2536 wrote to memory of 3692	2536	cmd.exe	118
PID 2536 wrote to memory of 3692	2536	cmd.exe	118
PID 4072 wrote to memory of 3280	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	119
PID 4072 wrote to memory of 3280	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	119
PID 3280 wrote to memory of 2196	3280	cmd.exe	121
PID 3280 wrote to memory of 2196	3280	cmd.exe	121
PID 4072 wrote to memory of 1548	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	122
PID 4072 wrote to memory of 1548	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	122
PID 1548 wrote to memory of 1704	1548	cmd.exe	124
PID 1548 wrote to memory of 1704	1548	cmd.exe	124
PID 4072 wrote to memory of 1268	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	125
PID 4072 wrote to memory of 1268	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	125
PID 1268 wrote to memory of 3244	1268	cmd.exe	127
PID 1268 wrote to memory of 3244	1268	cmd.exe	127
PID 4072 wrote to memory of 1840	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	128
PID 4072 wrote to memory of 1840	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	128
PID 1840 wrote to memory of 2032	1840	cmd.exe	130
PID 1840 wrote to memory of 2032	1840	cmd.exe	130
PID 4072 wrote to memory of 4312	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	131
PID 4072 wrote to memory of 4312	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	131
PID 4312 wrote to memory of 4888	4312	cmd.exe	135
PID 4312 wrote to memory of 4888	4312	cmd.exe	135
PID 4072 wrote to memory of 4908	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	136
PID 4072 wrote to memory of 4908	4072	69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe	136
PID 4908 wrote to memory of 4560	4908	cmd.exe	138
PID 4908 wrote to memory of 4560	4908	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69a17741bd43a2004532c6ff52f42cf7_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:2192
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:3692
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2196
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1704
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:3244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2032
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:4888
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:4560
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4652
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:4088
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:1516
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:3468
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3300
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:836
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:3972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:620
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2476
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2992
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:3280
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1064
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1812
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1728
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1268
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:396
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:4916
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1668
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2448
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2080
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:2056
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:728
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:3548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1152
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3284
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4208
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4584
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4892
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1136
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2948
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:4812
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:4300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3024
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:436
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1452
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1704
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4356
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:3920
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:1248
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2544
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2780
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:4864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:3656
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:1576
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:4940
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:3168
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:5004
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3832
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:228
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:3388
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1948
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:5080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3892
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2724
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:4056
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2948
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4300
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4552
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:436
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:4112
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1704
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:3920
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3096
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2544
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4864
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:4548
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:3656
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:864
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2548
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3284
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2644
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4208
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1456
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3892
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2068
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4332
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2436
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2384
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4884
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:3036
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:5044
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1840
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:5064
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1668
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:4104
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:4916
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:3196
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:3192
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:5072
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1188
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:4924
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2652
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1320
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2644
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3792
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3872
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2704
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3156
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1420
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:1692
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:940
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:3080
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:3128
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1372
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2792
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1452
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2320
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4216
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2444
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:1576
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:4888
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2488
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2240
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3368
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:8
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4872
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1676
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:428
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1532
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4692
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:1456
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:3972
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:3800
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1980
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1624
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:940
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3128
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2916
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2792
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2224
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1808
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2032
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4200
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3952
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2400
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:364
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:3680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3284
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3724
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:4600
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1016
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:5036
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:3804
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:964
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2036
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1196
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2724
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:4552
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2196
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1064
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2384
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:3748
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:4452
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:4428
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:1704
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:4964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1548
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1852
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:3696
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1268
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2924
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:4368
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4500
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:3340
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:5112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:364
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:4132
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3284
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4156
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2304
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:4400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3840
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4180
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:428
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:5036
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2704
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2724
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:768
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2196
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4516
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:3024
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:3500
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:3096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4960
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2488
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:5104
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:5108
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:4916
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:3832
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1844
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3140
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4504
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3756
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4132
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3724
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2644
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:4568
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:3792
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4632
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:1072
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:428
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2092
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1540
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4692
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2724
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3892
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:4112
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1624
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:736
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2968
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:3496
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:1704
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4888
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2560
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2488
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:3784
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2780
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3832
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3468
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:3528
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:3472
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:3356
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4940
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:4868
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:856
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3688
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1744
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:2252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4620
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1096
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:1252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:4692
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4288
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:724
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1624
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:3580
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1248
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:4960
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1452
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2224
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:620
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1564
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2064
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:380
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1188
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4864
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:940
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:2492
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:856
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:4712
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:4424
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1880
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:4568
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1532
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:1608
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4880
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:4224
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4668
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4120
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2068
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2992
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2500
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2536
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4112
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:1472
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2308
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:1148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3812
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:380
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4696
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:2400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2520
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3120
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:332
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:3312
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2532
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:3840
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:928
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4120
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1980
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2724
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2968
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:2664
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4112
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4704
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1516
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4916
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:620
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2924
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1564
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:4580
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1468
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:3356
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:2416
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:1760
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2800
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3284
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:3040
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4336
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3312
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1608
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4012
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1372
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:4332
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1620
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:768
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:4628
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:4356
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3784
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:3368
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1564
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4500
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2548
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:2400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:3140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1468
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1764
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:364
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2416
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4672
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:3300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2492
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:2420
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:3592
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4712
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2068
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4552
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:5108
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4628
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3192
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:2320
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:728
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3832
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2400
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1844
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4088
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:3628
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:912
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:872
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:4688
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2560
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1732
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:3040
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:3284
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2492
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:3840
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:4880
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1188
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1096
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2068
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1620
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4572
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:380
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:4416
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:984
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3356
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:3772
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1468
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1240
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1164
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1412
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4252
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:5068
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:4624
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:1116
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1624
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:3216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4872
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:3284
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1036
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:4148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:452
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:4968
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3972
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:3984
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:4012
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4600
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:808
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:5092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:4020
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2196
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3168
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3096
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3368
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:4888
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2924
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2584
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3508
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:3656
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:5044
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:3628
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4940
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:536
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:4676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:5068
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:3688
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1116
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:688
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:3216
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:228
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2532
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:332
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:748
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:3840
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3672
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1608
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:4692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2420
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3984
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:4516
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4056
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:3872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1472
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:4020
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1268
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:4916
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1092
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:3824
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1884
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2240
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:3140
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:4124
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3640
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:912
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2800
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:3688
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:3964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2724
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4432
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:396
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1516
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:748
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1692
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:532
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:4568
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:3264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:4424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3580
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:316
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:3244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1268
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:3124
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4392
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:3528
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:3812
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:540
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:2032
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3772
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1764
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:864
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:4088
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:5088
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:4964
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:436
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3372
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:1064
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1116
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:332
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:4920
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:3312
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:3756
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2864
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4568
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:4712
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1540
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:4424
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:4744
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:5092
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4020
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1268
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2384
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:216
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1092
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2584
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:540
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:4404
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:3656
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2740
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4396
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3308
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:808
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3404
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:2436
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2928
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:1760
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:4168
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:1704
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2704
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:928
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3080
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3312
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:4692
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2476
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3972
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:736
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3844
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2148
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:4056
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4744
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1420
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:5000
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3692
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1268
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:2444
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:3096
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2488
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:4572
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:1884
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:4368
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:3952
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2924
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:3656
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4396
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:4944
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1320
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3308
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:4896
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:436
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:3216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:1676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3296
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:1456
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:940
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:4224
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:4160
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1968
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:532
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:2208
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2792
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:736
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1576
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:4216
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4480
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:1980
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:3388
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:116
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1452
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:3168
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2064
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2488
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2308
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2032
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1764
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:4088
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:864
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4708
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2432
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:4252
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:688
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3340
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:3404
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1548
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:1760
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4148
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:2092
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1456
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:1608
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4996
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4968
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2704
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:532
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3804
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:1840
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:2864
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:4712
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:1372
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1472
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2104
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:116
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1452
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2384
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3812
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:380
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:1744
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1764
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:5104
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3508
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5004
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3472
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:808
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:5068
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3572
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:3300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1080
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:4896
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1720
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:3340
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:3724
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:3284
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:332
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4920
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1516
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:3424
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:4736
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:4180
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:928
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:2552
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:4400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:3252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1620
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:3180
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2104
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:2968
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3096
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:984
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:3156
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:3192
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2880
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:4080
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4404
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4708
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:2240
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1092
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:3628
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:2400
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:5068
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2812
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:3300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:1296
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:688
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:4676
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    PID:3340
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:1720
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:856
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:1244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:332
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1384
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:940
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:4736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4160
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2792
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4400
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:4560
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3984
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3604
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:4424
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2192
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:3128
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2384
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3096
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    - Launches sc.exe
    PID:2508
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1884
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4164
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:1268
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:4080
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:5072
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:4292
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:5104
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:3924
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:3472
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:2264
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:2740
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:2316
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:3300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:3688
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:1200
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1728
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4168
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:2096
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4132
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:3120
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:1324
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:4920
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:4620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:452
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:4448
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:3080
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:928
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3972
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1620
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:4584
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1420
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:4604
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4600
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:4680
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3388
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3892
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:4916
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:3784
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:3920
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:764
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:984
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:3736
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:4500
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:2280
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:4292
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4868
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:5004
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2740
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:2924
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2664
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2416
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:2036
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:428
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:3724
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:4676
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:2096
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2644
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:3680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:3120
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4880
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:1516
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:3592
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:676
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:3912
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1016
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:3296
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:4244
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4400
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:2992
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  - System Time Discovery
  PID:1072
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:5064
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:3264
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:2104
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:4680
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:3784
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:3244
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:216
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4368
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:3736
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:4888
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:4612
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2504
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:3356
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3824
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:2400
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:1568
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:2684
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:2224
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:1296
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:1540
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:3588
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:3308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:1676
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:396
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:3500
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1704
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:4288
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:800
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:4880
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:4920
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:748
- - C:\Windows\system32\SystemSettingsAdminFlows.exe
    SystemSettingsAdminFlows.exe SetInternetTime 1
    3⤵
    - System Time Discovery
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T"
  2⤵
  PID:4620
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    PID:1016
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T"
  2⤵
  PID:392
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    PID:3252
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T"
  2⤵
  PID:3672
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    PID:4812
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq charles*" /IM * /F /T"
  2⤵
  PID:1544
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    PID:2708
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T"
  2⤵
  PID:4704
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    PID:1196
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq ida*" /IM * /F /T"
  2⤵
  PID:2444
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    PID:4680
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T"
  2⤵
  PID:2768
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    PID:424
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T"
  2⤵
  PID:3812
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    PID:724
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T"
  2⤵
  PID:1520
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq "Process Hacker*" /IM * /F /T
    3⤵
    PID:3736
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerPro"
  2⤵
  PID:1964
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    PID:4156
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop HTTPDebuggerProSdk"
  2⤵
  PID:4612
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerProSdk
    3⤵
    PID:4960
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker3"
  2⤵
  PID:3496
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    PID:3648
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker2"
  2⤵
  PID:2432
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    PID:4124
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop KProcessHacker1"
  2⤵
  PID:212
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    PID:3656
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop wireshark"
  2⤵
  PID:2316
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "sc stop npf"
  2⤵
  PID:872
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    PID:1564
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C "SystemSettingsAdminFlows.exe SetInternetTime 1"
  2⤵
  PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4072-0-0x00007FF781750000-0x00007FF78216A000-memory.dmp

Filesize
10.1MB

Download
memory/4072-1-0x00007FFCFEBF0000-0x00007FFCFEBF2000-memory.dmp

Filesize
8KB

Download
memory/4072-2-0x00007FF781750000-0x00007FF78216A000-memory.dmp

Filesize
10.1MB

Download
memory/4072-3-0x00007FF781750000-0x00007FF78216A000-memory.dmp

Filesize
10.1MB

Download
memory/4072-4-0x00007FF781750000-0x00007FF78216A000-memory.dmp

Filesize
10.1MB

Download
memory/4072-5-0x00007FF781750000-0x00007FF78216A000-memory.dmp

Filesize
10.1MB

Download
memory/4072-7-0x00007FF781750000-0x00007FF78216A000-memory.dmp

Filesize
10.1MB

Download
memory/4072-8-0x00007FF781750000-0x00007FF78216A000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads