a938fce1457e7da6428e5db822f0bf7f7bc70426af8615e9c722f5ef8f15ebd0

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

run.vbs
Size

833B
MD5

312748860fff852c1f7acc06efa63349
SHA1

a816fe8c8e5dd66a955b144447df04b1ba5a8adf
SHA256

a938fce1457e7da6428e5db822f0bf7f7bc70426af8615e9c722f5ef8f15ebd0
SHA512

b1a52727c9ee69bf4b1dc88623510a6dc295948776f66199a78bb7b0adc6d0023504ee15d2c4a488c13918d41448d5d3c4538abe151bfd15878c26e92214a083

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

pid	Process
3704	taskkill.exe
3108	taskkill.exe
3904	taskkill.exe
3556	taskkill.exe
3004	taskkill.exe
508	taskkill.exe
4324	taskkill.exe
4548	taskkill.exe
2244	taskkill.exe
1240	taskkill.exe
3284	taskkill.exe
4548	taskkill.exe
4300	taskkill.exe
1972	taskkill.exe
388	taskkill.exe
4452	taskkill.exe
4196	taskkill.exe
2508	taskkill.exe
2124	taskkill.exe
444	taskkill.exe
2704	taskkill.exe
4628	taskkill.exe
2644	taskkill.exe
1472	taskkill.exe
1504	taskkill.exe
4396	taskkill.exe
2576	taskkill.exe
4900	taskkill.exe
3500	taskkill.exe
3948	taskkill.exe
3484	taskkill.exe
2440	taskkill.exe
1176	taskkill.exe
2160	taskkill.exe
1544	taskkill.exe
4228	taskkill.exe
772	taskkill.exe
1836	taskkill.exe
3940	taskkill.exe
4152	taskkill.exe
1196	taskkill.exe
4152	taskkill.exe
2236	taskkill.exe
4044	taskkill.exe
4756	taskkill.exe
2312	taskkill.exe
4200	taskkill.exe
4612	taskkill.exe
336	taskkill.exe
4372	taskkill.exe
2884	taskkill.exe
3016	taskkill.exe
1764	taskkill.exe
336	taskkill.exe
2268	taskkill.exe
1340	taskkill.exe
1336	taskkill.exe
3668	taskkill.exe
532	taskkill.exe
4980	taskkill.exe
2656	taskkill.exe
4364	taskkill.exe
3440	taskkill.exe
3620	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{9A2F1D45-07D6-4C49-8F83-5DAF0CD383D8}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{94AFF84E-CEEA-4066-A458-267EED8047F5}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{DA690DA9-F7D0-4F54-A86F-5313BE3FF9B4}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{5BD19823-A9BE-405B-A908-5DE5C712A7F3}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{3863065F-CB18-49EA-B5A5-C38271EC1ACC}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{2E4411E8-EC6E-4FFA-B3D1-F99CA794CA47}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{2D42B3A3-4C7B-450F-8C11-EFF671EA87E0}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{4A4798BC-E7BB-4416-92DC-5B894FB00A90}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{6D007883-4C5E-4C02-8B12-BF7EA7BEE61D}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{4BC1C673-3706-465C-B616-2B166D25407F}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{CB9333A3-1D5B-4758-9F98-65F6DABF389E}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{7721284D-3A40-4BB5-A443-64577E02926C}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{02FD0248-D50E-4A50-A201-2763EE1F7636}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{03F51E22-4192-4E25-B221-ED8A659C5B30}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{21685045-D8F9-4C77-B361-D91D957F85C9}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{D0193EE5-FA63-47D4-A827-F675F41B86F1}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{A501FD76-9C6A-40EE-AE62-5E41BCFE0019}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{B4364527-91C7-4372-B5D0-8D2617931BA9}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{20AEC604-06FC-4F9B-9A7C-97E1A15DC654}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{8B6E8CB9-B448-42A5-B96D-61C166033902}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{614C382C-D332-4931-AC53-D7D509F3F222}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{6A90BB66-6F9E-4007-BBB9-AD5635C54D21}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{9287EF5A-E4B0-4BCB-BA1E-E05324E296DB}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{EC69A337-CC59-4BAF-A0C5-D7E148A10A95}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{BFD30CDA-3197-4F65-BB9F-D71F16470D7F}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{48CDBFAD-B804-489A-8C2E-178D2886C7C8}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{E6266225-5334-4B03-89EE-6D717B0FBBD9}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{94CC7C73-3ACB-4204-B791-DE6CDE874B83}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{5C8EB70C-DD30-4819-97C0-73598AB1E715}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{52E4B341-D43E-4FA8-8048-0DAE4E8888E0}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{9DB695AE-DA1E-48EC-AFF2-8F965136F332}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{754F097C-9636-4694-8115-C517DE449331}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{D8F3ADAC-255B-4B17-803B-E717C57F6EF8}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{0B979E57-37BC-4275-A153-4E358A640C31}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{5D56E50E-2247-4D47-8E5E-05D6416295D8}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{51055676-D0BF-4292-88E5-28386F28F17E}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{EEB7F822-0BE3-48CB-97D7-625EBAE4CA71}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{04769779-174D-4691-8723-540FBBE4800A}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{E5A2F137-2A79-4BD7-B1CC-9490BA9647F5}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{CA9FBB15-4FEC-4E38-8665-51EA0655F3D6}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{20D611F6-AA34-4BA6-BEE0-FB5D46091A43}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{F276C52F-5F60-4B3D-BC19-50C9E2B8376D}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{36049FD4-F9AA-4DE0-88F0-D02368A0A110}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{063B30A0-B69E-4E4A-82F2-042752B20AFA}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{DAFCAAB9-F13A-4786-9CAE-FA464719A536}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{016559E4-D1D6-4FE3-9647-8F99AFD0D03D}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{38F3DF6F-27B0-44AD-BA08-4BB89D4559AE}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{599B1157-CE47-4C69-AC4C-1CF569D8A4CE}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{01F3274C-34A3-4AF2-B1F3-C7535EB3E35A}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{4ACB763E-1E51-4B25-9856-688C0136704E}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{C132F7C9-48AC-434B-A5F5-AEA9BC7617C3}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{4440B86C-B01F-4588-9105-062DF6386F5A}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{E7F2DC09-BE62-48B1-90A6-285B2DC25E4E}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{8C8AB8E4-5E9F-4B38-939E-206EAF024030}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{FD756ACC-C0B7-4162-865F-8E77A421556D}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{EDF966B4-6641-42ED-8B86-56CB5132D1E4}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{4B24F363-9B80-4616-9773-33FDAFBED589}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{B3465B01-EBCA-4256-B1CE-BA371F97BE99}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{C2F1602A-0B7E-4BFF-9FDC-7F4A6C482EC5}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{CE175746-3D21-4503-AE82-4A748FC8F815}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{08ED5851-EDDB-494C-8383-6FEC4620977A}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{7C2153DD-E2CC-4DBE-9C5F-20DFFB258856}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{2017AFA8-DCFB-4839-9B92-FBE476AA25E6}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{E0599DC5-4F82-4859-BA50-E158797E7D0A}	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1660	WScript.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeCreatePagefilePrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeCreatePagefilePrivilege	2700	explorer.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeShutdownPrivilege	2008	explorer.exe
Token: SeCreatePagefilePrivilege	2008	explorer.exe
Token: SeShutdownPrivilege	2008	explorer.exe
Token: SeCreatePagefilePrivilege	2008	explorer.exe
Token: SeShutdownPrivilege	752	explorer.exe
Token: SeCreatePagefilePrivilege	752	explorer.exe
Token: SeShutdownPrivilege	752	explorer.exe
Token: SeCreatePagefilePrivilege	752	explorer.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeShutdownPrivilege	3736	explorer.exe
Token: SeCreatePagefilePrivilege	3736	explorer.exe
Token: SeShutdownPrivilege	3736	explorer.exe
Token: SeCreatePagefilePrivilege	3736	explorer.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeShutdownPrivilege	3912	explorer.exe
Token: SeCreatePagefilePrivilege	3912	explorer.exe
Token: SeShutdownPrivilege	3912	explorer.exe
Token: SeCreatePagefilePrivilege	3912	explorer.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeShutdownPrivilege	1420	explorer.exe
Token: SeCreatePagefilePrivilege	1420	explorer.exe
Token: SeShutdownPrivilege	1420	explorer.exe
Token: SeCreatePagefilePrivilege	1420	explorer.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeCreatePagefilePrivilege	772	explorer.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeShutdownPrivilege	2728	explorer.exe
Token: SeCreatePagefilePrivilege	2728	explorer.exe
Token: SeShutdownPrivilege	2728	explorer.exe
Token: SeCreatePagefilePrivilege	2728	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeShutdownPrivilege	4656	explorer.exe
Token: SeCreatePagefilePrivilege	4656	explorer.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeShutdownPrivilege	1524	explorer.exe
Token: SeCreatePagefilePrivilege	1524	explorer.exe
Token: SeShutdownPrivilege	1524	explorer.exe
Token: SeCreatePagefilePrivilege	1524	explorer.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeShutdownPrivilege	4084	explorer.exe
Token: SeCreatePagefilePrivilege	4084	explorer.exe
Token: SeShutdownPrivilege	4084	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4480	explorer.exe
968	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1748	1660	WScript.exe	84
PID 1660 wrote to memory of 1748	1660	WScript.exe	84
PID 1660 wrote to memory of 2008	1660	WScript.exe	86
PID 1660 wrote to memory of 2008	1660	WScript.exe	86
PID 1660 wrote to memory of 4508	1660	WScript.exe	89
PID 1660 wrote to memory of 4508	1660	WScript.exe	89
PID 1660 wrote to memory of 2516	1660	WScript.exe	103
PID 1660 wrote to memory of 2516	1660	WScript.exe	103
PID 1660 wrote to memory of 2700	1660	WScript.exe	105
PID 1660 wrote to memory of 2700	1660	WScript.exe	105
PID 1660 wrote to memory of 2280	1660	WScript.exe	106
PID 1660 wrote to memory of 2280	1660	WScript.exe	106
PID 1660 wrote to memory of 2008	1660	WScript.exe	108
PID 1660 wrote to memory of 2008	1660	WScript.exe	108
PID 1660 wrote to memory of 4684	1660	WScript.exe	110
PID 1660 wrote to memory of 4684	1660	WScript.exe	110
PID 1660 wrote to memory of 752	1660	WScript.exe	112
PID 1660 wrote to memory of 752	1660	WScript.exe	112
PID 1660 wrote to memory of 5036	1660	WScript.exe	113
PID 1660 wrote to memory of 5036	1660	WScript.exe	113
PID 1660 wrote to memory of 3736	1660	WScript.exe	115
PID 1660 wrote to memory of 3736	1660	WScript.exe	115
PID 1660 wrote to memory of 3572	1660	WScript.exe	116
PID 1660 wrote to memory of 3572	1660	WScript.exe	116
PID 1660 wrote to memory of 3912	1660	WScript.exe	118
PID 1660 wrote to memory of 3912	1660	WScript.exe	118
PID 1660 wrote to memory of 3892	1660	WScript.exe	119
PID 1660 wrote to memory of 3892	1660	WScript.exe	119
PID 1660 wrote to memory of 1420	1660	WScript.exe	121
PID 1660 wrote to memory of 1420	1660	WScript.exe	121
PID 1660 wrote to memory of 1448	1660	WScript.exe	122
PID 1660 wrote to memory of 1448	1660	WScript.exe	122
PID 1660 wrote to memory of 3924	1660	WScript.exe	124
PID 1660 wrote to memory of 3924	1660	WScript.exe	124
PID 1660 wrote to memory of 1048	1660	WScript.exe	126
PID 1660 wrote to memory of 1048	1660	WScript.exe	126
PID 1660 wrote to memory of 4900	1660	WScript.exe	128
PID 1660 wrote to memory of 4900	1660	WScript.exe	128
PID 1660 wrote to memory of 3704	1660	WScript.exe	129
PID 1660 wrote to memory of 3704	1660	WScript.exe	129
PID 1660 wrote to memory of 772	1660	WScript.exe	131
PID 1660 wrote to memory of 772	1660	WScript.exe	131
PID 1660 wrote to memory of 1344	1660	WScript.exe	132
PID 1660 wrote to memory of 1344	1660	WScript.exe	132
PID 1660 wrote to memory of 4344	1660	WScript.exe	134
PID 1660 wrote to memory of 4344	1660	WScript.exe	134
PID 1660 wrote to memory of 2508	1660	WScript.exe	135
PID 1660 wrote to memory of 2508	1660	WScript.exe	135
PID 1660 wrote to memory of 836	1660	WScript.exe	137
PID 1660 wrote to memory of 836	1660	WScript.exe	137
PID 1660 wrote to memory of 4308	1660	WScript.exe	138
PID 1660 wrote to memory of 4308	1660	WScript.exe	138
PID 1660 wrote to memory of 2728	1660	WScript.exe	140
PID 1660 wrote to memory of 2728	1660	WScript.exe	140
PID 1660 wrote to memory of 3832	1660	WScript.exe	142
PID 1660 wrote to memory of 3832	1660	WScript.exe	142
PID 1660 wrote to memory of 4656	1660	WScript.exe	144
PID 1660 wrote to memory of 4656	1660	WScript.exe	144
PID 1660 wrote to memory of 3896	1660	WScript.exe	145
PID 1660 wrote to memory of 3896	1660	WScript.exe	145
PID 1660 wrote to memory of 1524	1660	WScript.exe	147
PID 1660 wrote to memory of 1524	1660	WScript.exe	147
PID 1660 wrote to memory of 2244	1660	WScript.exe	148
PID 1660 wrote to memory of 2244	1660	WScript.exe	148

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4508
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4900
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4344
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4516
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1268
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4056
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:3852
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4900
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3748
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1504
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:3408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1844
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:1220
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1668
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4248
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3892
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:2828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3500
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2796
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4304
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:464
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4152
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3620
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4340
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4504
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:4616
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2632
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4092
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1772
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:2828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:740
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1784
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2656
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4628
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:4092
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4392
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:396
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4308
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4340
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3712
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2268
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1268
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4440
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1256
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2464
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1628
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3832
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:532
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2848
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4656
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:2168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1684
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2760
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:448
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3620
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2124
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:608
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:552
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:5040
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2040
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1308
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:1880
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1252
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:1196
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4960
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1344
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:636
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2956
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1784
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2248
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1748
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4344
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3948
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:4416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2068
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3108
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:388
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3276
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2280
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3960
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2324
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:4200
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4372
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2032
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:4004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1748
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3728
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4364
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3100
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1880
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2728
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:208
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3576
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3648
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2896
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4644
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2884
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4024
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3648
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2644
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2516
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2868
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3832
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3644
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:836
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3100
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1648
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1196
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1504
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:808
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1500
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4168
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4496
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:996
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1196
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3688
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3528
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4672
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4624
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3116
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3904
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2632
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:540
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4140
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1544
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3716
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2568
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1084
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1448
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4660
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:740
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:2192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:444
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3100
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4452
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1336
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4464
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3016
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:720
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4496
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4300
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3032
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:3372
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2484
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1504
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3948
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2760
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4792
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4764
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4656
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4396
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:676
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3904
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2516
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3992
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4556
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1836
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1336
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2516
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1084
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:3972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2184
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1836
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:632
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1336
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3776
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3528
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3372
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:3512
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2644
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3556
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4080
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:208
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3676
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4056
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:444
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:2260
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4156
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4340
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1884
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2508
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4056
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4184
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4548
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4952
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4156
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2516
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1788
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:1152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2312
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3516
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2260
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4228
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4024
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4296
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:5096
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4608
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4184
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:2244
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2004
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3776
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:608
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3960
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1788
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3516
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3644
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3004
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1544
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1240
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1784
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1096
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2704
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2260
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4072
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4300
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4984
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1544
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2576
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3608
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1480
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4516
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2236
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3964
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3036
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4316
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2656
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1332
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3236
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2816
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4480
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4916
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3436
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3232
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:1980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4200
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4388
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4104
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4380
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4784
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3876
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3664
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3856
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4184
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:388
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:228
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3352
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3876
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3276
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1920
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2848
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1344
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:2208
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1764
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1312
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3440
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4392
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1344
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4364
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4356
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:4968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4168
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2652
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3404
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3668
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:5096
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2180
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1808
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4056
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3484
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1944
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2440
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:464
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:508
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3436
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:2124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4756
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:336
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4176
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:2816
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3904
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4492
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:772
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1836
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1928
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:4208
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1176
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3532
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:812
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:4380
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4880
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4392
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3936
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:5060
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1312
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3808
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4744
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3580
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2312
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:1884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3548
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3964
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3664
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4940
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:5072
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3876
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3896
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3936
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4492
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3284
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4440
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4364
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4208
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:536
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3580
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:772
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:388
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2884
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4796
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3832
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4304
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3916
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:336
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3672
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4324
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:444
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:772
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:4668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3940
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3964
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3052
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:3524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:532
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3896
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4792
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3108
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:648
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2280
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2160
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2200
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2896
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4120
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4612
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:3328
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4548
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1476
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2684
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  PID:1668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4984
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3708
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1684
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4612
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:5060
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:752
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2504
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:5096
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:5072
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4548
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:5036
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:532
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4508
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2568
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  PID:4976
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4556
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3232
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4316
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:1448
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4196
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3280
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1472
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2876
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4292
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:5032
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4980
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2232
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3896
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:444
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:336
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4940
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:3080
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3404
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:2576
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4756
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4708
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1340
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4712
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4248
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3588
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  PID:3440
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:5108
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2180
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  PID:4208
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3372

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\DECAHEDRON5.txt

Filesize
7B

MD5
9a6652014d543dbccf03ff83d05e3cfa

SHA1
9b209b92d3f0b674eab16291aad6fdc125d6098a

SHA256
cd1e9486c4fdc986f20684379db1873ee30a0dd6280d5dddb4f63b7a8aff9362

SHA512
4f31bac9d81b99559394affbda11db9dbb09d48c194d41ad556a1c2b875fd68ebe03d58cc13e591316ad0dec527d970c7f7030bf09d2d4be1be8882e0d3dc8d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads