420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3963266117746beab6dd5b66696a135a.exe
Size

106KB
MD5

3963266117746beab6dd5b66696a135a
SHA1

45e4b3614f5a3b50af94a7951cc820720c57db9f
SHA256

420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25
SHA512

8f11f6c228a3ec6b578fe43405b0e5427cd051642081b91241e5444e3a3b34ee597ff96daf70a20766c56900dffa10e90281cad5f439b6853e5f51fd5977f761
SSDEEP

1536:7+qolpTirGvR5knwm8Uq9Q0a7KIV0XelWHlsdGHXFA2T259FTOrSqCYJKEO3n:qq6irEqnwh9Ha3CeMHWGXbuLYJKP3n

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\inf\\Utilman.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit.exe, C:\\Windows\\system\\FrozenTearz.exe"	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	REG.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	REG.exe

Sets file execution options in registry 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "taskmgr.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "wscript.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "regedit.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\lsass.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "msmsgs.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\debugger = "C:\\Windows\\inf\\Utilman.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\system\\FrozenTearz.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\debugger = "C:\\Windows\\Fonts\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\debugger = "C:\\Windows\\inf\\Utilman.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "mspaint.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "msconfig.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgs.exe\debugger = "C:\\Windows\\system\\FrozenTearz.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "rstrui.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "C:\\Windows\\Prefetch\\lsass.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "calc.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "regedt32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgs.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\Web\\explorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\debugger = "C:\\Windows\\inf\\Utilman.exe"	lsass.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	lsass.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	lsass.exe

Executes dropped EXE 64 IoCs

pid	Process
2832	lsass.exe
3016	FrozenTearz.exe
1404	Utilman.exe
2796	csrss.exe
2960	explorer.exe
1224	lsass.exe
2468	FrozenTearz.exe
1564	Utilman.exe
1944	csrss.exe
1248	FrozenTearz.exe
1636	explorer.exe
2404	lsass.exe
604	Utilman.exe
2104	lsass.exe
2660	csrss.exe
2284	explorer.exe
2520	lsass.exe
888	lsass.exe
1732	FrozenTearz.exe
2552	Utilman.exe
2396	csrss.exe
2460	explorer.exe
2728	lsass.exe
2824	lsass.exe
2572	FrozenTearz.exe
476	Utilman.exe
1020	csrss.exe
2780	explorer.exe
2804	lsass.exe
1336	lsass.exe
2132	FrozenTearz.exe
2068	Utilman.exe
2276	csrss.exe
1928	explorer.exe
1796	lsass.exe
1816	lsass.exe
2320	FrozenTearz.exe
896	Utilman.exe
112	csrss.exe
2484	explorer.exe
2116	lsass.exe
2092	lsass.exe
2652	FrozenTearz.exe
2632	FrozenTearz.exe
380	Utilman.exe
1988	csrss.exe
2940	Utilman.exe
1520	explorer.exe
1724	csrss.exe
1116	lsass.exe
3036	explorer.exe
1640	lsass.exe
1056	lsass.exe
3004	lsass.exe
2320	FrozenTearz.exe
2520	Utilman.exe
2624	FrozenTearz.exe
2304	Utilman.exe
380	csrss.exe
1672	csrss.exe
2564	explorer.exe
2792	explorer.exe
1988	lsass.exe
2360	lsass.exe

Loads dropped DLL 64 IoCs

pid	Process
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
1640	3963266117746beab6dd5b66696a135a.exe
2832	lsass.exe
2832	lsass.exe
2832	lsass.exe
1404	Utilman.exe
2832	lsass.exe
2832	lsass.exe
1404	Utilman.exe
1404	Utilman.exe
1404	Utilman.exe
1404	Utilman.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
1404	Utilman.exe
1404	Utilman.exe
1404	Utilman.exe
1404	Utilman.exe
1404	Utilman.exe
2832	lsass.exe
2832	lsass.exe
2832	lsass.exe
2832	lsass.exe
2832	lsass.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2796	csrss.exe
2832	lsass.exe
1224	lsass.exe
1224	lsass.exe
1224	lsass.exe
2832	lsass.exe
1224	lsass.exe
2832	lsass.exe
2832	lsass.exe
1224	lsass.exe
2832	lsass.exe
2796	csrss.exe
2796	csrss.exe
2832	lsass.exe
2832	lsass.exe
2832	lsass.exe
2796	csrss.exe
2832	lsass.exe
2796	csrss.exe
2796	csrss.exe
2832	lsass.exe
1224	lsass.exe
1224	lsass.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/files/0x0009000000016fe9-9.dat	upx
behavioral1/memory/2832-40-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3016-68-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1640-71-0x0000000002460000-0x00000000024CA000-memory.dmp	upx
behavioral1/memory/1404-78-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1640-107-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1640-109-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2832-113-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3016-149-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2468-154-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2468-155-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1404-160-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1564-165-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-176-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1636-178-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1636-179-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2960-181-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1944-169-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2404-186-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1248-187-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1224-197-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/604-194-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2660-200-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2284-207-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2104-211-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/888-219-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2520-215-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2832-222-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1404-229-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-231-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2960-232-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1732-234-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1224-236-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2552-241-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2396-245-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2460-249-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2728-254-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2824-260-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1404-301-0x0000000003430000-0x000000000349A000-memory.dmp	upx
behavioral1/memory/2572-304-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1404-313-0x0000000003430000-0x000000000349A000-memory.dmp	upx
behavioral1/memory/476-309-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1020-315-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2780-319-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2804-322-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1336-326-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2832-327-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/3016-351-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2132-354-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2068-357-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1404-358-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1928-364-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1796-367-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2796-369-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2960-371-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1816-372-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1224-373-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2320-385-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/896-388-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/112-391-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2484-394-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2116-397-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2092-400-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msmsgs = "C:\\Windows\\Fonts\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce = "C:\\Windows\\Web\\explorer.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\msmsgs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\lsass.exe"	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	lsass.exe
File created	F:\Autorun.inf	lsass.exe
File opened for modification	F:\Autorun.inf	lsass.exe
File created	C:\Autorun.inf	lsass.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	Utilman.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File created	C:\Windows\SysWOW64\klab0t32.ocx	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	FrozenTearz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Sports.exe	Utilman.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Abu Sayaf gays scandal.exe	Utilman.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\cy.exe	Utilman.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\de-DE.exe	Utilman.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell jpeg.exe	Utilman.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\LC_MESSAGES.exe	Utilman.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\Access animation.exe	Utilman.exe
File created	C:\Program Files (x86)\Google\Update\Offline\Offline.exe	Utilman.exe
File created	C:\Program Files (x86)\Internet Explorer\Yahoo Messenger Hackers Tool.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Unicode screensaver.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\3082 bitmap.exe	Utilman.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indiana.exe	Utilman.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\Mutya ng Pilipinas backstage scandal.exe	Utilman.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\Hardcore Asian Picture.exe	Utilman.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Asian Tranny Fucked.exe	Utilman.exe
File created	C:\Program Files\Reference Assemblies\Reference Assemblies jpeg.exe	Utilman.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\Young Busty Teen.exe	Utilman.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\LC_MESSAGES wallpaper.exe	Utilman.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\Horny Babe Screws.exe	Utilman.exe
File created	C:\Program Files\Common Files\System\en-US\Cum in Her Pussy.exe	Utilman.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\com.jrockit.mc.feature.console_5.5.0 background.exe	Utilman.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\META-INF image.exe	Utilman.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\Babe Sucking Cock.exe	Utilman.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\pref.exe	Utilman.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\v3 wallpaper.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\1.exe	Utilman.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\fr-FR animation.exe	Utilman.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\de-DE jpeg.exe	Utilman.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\org.eclipse.help_2.0.102.exe	Utilman.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\he image.exe	Utilman.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\Busty Anime Sex Pics.exe	Utilman.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\video_chroma graphics.exe	Utilman.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\LC_MESSAGES icon.exe	Utilman.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\Yahoo Messenger Hackers Tool.exe	Utilman.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\js.exe	Utilman.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\All Busty MILF Pics.exe	Utilman.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\Copy of Image002 sex trip namin ni kuya.exe	Utilman.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\js.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\Photo of Jun Lozada ZTE sex scandal.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Microsoft Anti GMA photo.exe	Utilman.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\Toying Brunette.exe	Utilman.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Busty Babe on Santa.exe	Utilman.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\en-US wallpaper.exe	Utilman.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\fr-FR.exe	Utilman.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\Ang sarap kantutin ni ate.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\ENU.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\8 jpeg.exe	Utilman.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\All Hardcore Picture.exe	Utilman.exe
File created	C:\Program Files\DVD Maker\en-US\Fuck Lesson Picture.exe	Utilman.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\Her 1St Porn Pics.exe	Utilman.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\Busty Anime Sex Pics.exe	Utilman.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\Mature Hardcored.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\SPPlugins.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\1033 background.exe	Utilman.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\bin.exe	Utilman.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\Babe on the Drums.exe	Utilman.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\css graphics.exe	Utilman.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\Triedit.exe	Utilman.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ink animation.exe	Utilman.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\features.exe	Utilman.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\hu wallpaper.exe	Utilman.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\Backgrounds.exe	Utilman.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\enu-dsk jpeg.exe	Utilman.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\km screensaver.exe	Utilman.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Web\explorer.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\Prefetch\lsass.exe	3963266117746beab6dd5b66696a135a.exe
File created	C:\Windows\Prefetch\lsass.exe	3963266117746beab6dd5b66696a135a.exe
File created	C:\Windows\inf\Utilman.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\Fonts\csrss.exe	3963266117746beab6dd5b66696a135a.exe
File created	C:\Windows\Fonts\csrss.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\Web\explorer.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\system\FrozenTearz.exe	3963266117746beab6dd5b66696a135a.exe
File created	C:\Windows\system\FrozenTearz.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\inf\Utilman.exe	3963266117746beab6dd5b66696a135a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Mandirigma - Tear[A]Door /DoomRiderz"	lsass.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
944	REG.exe
3036	REG.exe
1976	REG.exe
572	REG.exe
2000	REG.exe
2740	REG.exe
1892	REG.exe
2184	REG.exe
2916	REG.exe
2624	REG.exe
1708	REG.exe
2444	REG.exe
940	REG.exe
1524	REG.exe
1464	REG.exe
1880	REG.exe
2688	REG.exe
1092	REG.exe
2860	REG.exe
980	REG.exe
1696	REG.exe
604	REG.exe
888	REG.exe
2320	REG.exe
2592	REG.exe
2724	REG.exe
2280	REG.exe
3044	REG.exe
2412	REG.exe
1504	REG.exe
1064	REG.exe
2552	REG.exe
3000	REG.exe
2580	REG.exe
800	REG.exe
2372	REG.exe
2784	REG.exe
2516	REG.exe
1872	REG.exe
1632	REG.exe
772	REG.exe
1828	REG.exe
984	REG.exe
1500	REG.exe
1372	REG.exe
2436	REG.exe
2736	REG.exe
684	REG.exe
828	REG.exe
1016	REG.exe
924	REG.exe
1688	REG.exe
1652	REG.exe
2684	REG.exe
2552	REG.exe
2420	REG.exe
2856	REG.exe
684	REG.exe
1184	REG.exe
1888	REG.exe
2668	REG.exe
2336	REG.exe
1636	REG.exe
564	REG.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2796	csrss.exe
2960	explorer.exe
2832	lsass.exe
1404	Utilman.exe
1224	lsass.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1080	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1640	3963266117746beab6dd5b66696a135a.exe
2832	lsass.exe
3016	FrozenTearz.exe
1404	Utilman.exe
2796	csrss.exe
2960	explorer.exe
1224	lsass.exe
2468	FrozenTearz.exe
1564	Utilman.exe
1944	csrss.exe
1636	explorer.exe
1248	FrozenTearz.exe
2404	lsass.exe
2104	lsass.exe
604	Utilman.exe
2660	csrss.exe
2284	explorer.exe
2520	lsass.exe
888	lsass.exe
1732	FrozenTearz.exe
2552	Utilman.exe
2396	csrss.exe
2460	explorer.exe
2728	lsass.exe
2824	lsass.exe
2572	FrozenTearz.exe
476	Utilman.exe
1020	csrss.exe
2780	explorer.exe
2804	lsass.exe
1336	lsass.exe
2132	FrozenTearz.exe
2068	Utilman.exe
2276	csrss.exe
1928	explorer.exe
1796	lsass.exe
1816	lsass.exe
2320	FrozenTearz.exe
896	Utilman.exe
112	csrss.exe
2484	explorer.exe
2116	lsass.exe
2092	lsass.exe
2632	FrozenTearz.exe
380	Utilman.exe
2652	FrozenTearz.exe
1988	csrss.exe
2940	Utilman.exe
1520	explorer.exe
1116	lsass.exe
1724	csrss.exe
1640	lsass.exe
3036	explorer.exe
1056	lsass.exe
3004	lsass.exe
2320	FrozenTearz.exe
2624	FrozenTearz.exe
2520	Utilman.exe
2304	Utilman.exe
380	csrss.exe
1672	csrss.exe
2564	explorer.exe
2792	explorer.exe
1988	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1080	1640	3963266117746beab6dd5b66696a135a.exe	28
PID 1640 wrote to memory of 1080	1640	3963266117746beab6dd5b66696a135a.exe	28
PID 1640 wrote to memory of 1080	1640	3963266117746beab6dd5b66696a135a.exe	28
PID 1640 wrote to memory of 1080	1640	3963266117746beab6dd5b66696a135a.exe	28
PID 1640 wrote to memory of 1080	1640	3963266117746beab6dd5b66696a135a.exe	28
PID 1640 wrote to memory of 1080	1640	3963266117746beab6dd5b66696a135a.exe	28
PID 1640 wrote to memory of 1080	1640	3963266117746beab6dd5b66696a135a.exe	28
PID 1640 wrote to memory of 2832	1640	3963266117746beab6dd5b66696a135a.exe	29
PID 1640 wrote to memory of 2832	1640	3963266117746beab6dd5b66696a135a.exe	29
PID 1640 wrote to memory of 2832	1640	3963266117746beab6dd5b66696a135a.exe	29
PID 1640 wrote to memory of 2832	1640	3963266117746beab6dd5b66696a135a.exe	29
PID 2832 wrote to memory of 2612	2832	lsass.exe	30
PID 2832 wrote to memory of 2612	2832	lsass.exe	30
PID 2832 wrote to memory of 2612	2832	lsass.exe	30
PID 2832 wrote to memory of 2612	2832	lsass.exe	30
PID 2832 wrote to memory of 2856	2832	lsass.exe	31
PID 2832 wrote to memory of 2856	2832	lsass.exe	31
PID 2832 wrote to memory of 2856	2832	lsass.exe	31
PID 2832 wrote to memory of 2856	2832	lsass.exe	31
PID 2832 wrote to memory of 2604	2832	lsass.exe	33
PID 2832 wrote to memory of 2604	2832	lsass.exe	33
PID 2832 wrote to memory of 2604	2832	lsass.exe	33
PID 2832 wrote to memory of 2604	2832	lsass.exe	33
PID 2832 wrote to memory of 3000	2832	lsass.exe	34
PID 2832 wrote to memory of 3000	2832	lsass.exe	34
PID 2832 wrote to memory of 3000	2832	lsass.exe	34
PID 2832 wrote to memory of 3000	2832	lsass.exe	34
PID 2832 wrote to memory of 2624	2832	lsass.exe	37
PID 2832 wrote to memory of 2624	2832	lsass.exe	37
PID 2832 wrote to memory of 2624	2832	lsass.exe	37
PID 2832 wrote to memory of 2624	2832	lsass.exe	37
PID 2832 wrote to memory of 2632	2832	lsass.exe	39
PID 2832 wrote to memory of 2632	2832	lsass.exe	39
PID 2832 wrote to memory of 2632	2832	lsass.exe	39
PID 2832 wrote to memory of 2632	2832	lsass.exe	39
PID 2832 wrote to memory of 2580	2832	lsass.exe	40
PID 2832 wrote to memory of 2580	2832	lsass.exe	40
PID 2832 wrote to memory of 2580	2832	lsass.exe	40
PID 2832 wrote to memory of 2580	2832	lsass.exe	40
PID 2832 wrote to memory of 2588	2832	lsass.exe	42
PID 2832 wrote to memory of 2588	2832	lsass.exe	42
PID 2832 wrote to memory of 2588	2832	lsass.exe	42
PID 2832 wrote to memory of 2588	2832	lsass.exe	42
PID 2832 wrote to memory of 1872	2832	lsass.exe	45
PID 2832 wrote to memory of 1872	2832	lsass.exe	45
PID 2832 wrote to memory of 1872	2832	lsass.exe	45
PID 2832 wrote to memory of 1872	2832	lsass.exe	45
PID 2832 wrote to memory of 1976	2832	lsass.exe	46
PID 2832 wrote to memory of 1976	2832	lsass.exe	46
PID 2832 wrote to memory of 1976	2832	lsass.exe	46
PID 2832 wrote to memory of 1976	2832	lsass.exe	46
PID 2832 wrote to memory of 1892	2832	lsass.exe	47
PID 2832 wrote to memory of 1892	2832	lsass.exe	47
PID 2832 wrote to memory of 1892	2832	lsass.exe	47
PID 2832 wrote to memory of 1892	2832	lsass.exe	47
PID 2832 wrote to memory of 772	2832	lsass.exe	53
PID 2832 wrote to memory of 772	2832	lsass.exe	53
PID 2832 wrote to memory of 772	2832	lsass.exe	53
PID 2832 wrote to memory of 772	2832	lsass.exe	53
PID 1640 wrote to memory of 3016	1640	3963266117746beab6dd5b66696a135a.exe	54
PID 1640 wrote to memory of 3016	1640	3963266117746beab6dd5b66696a135a.exe	54
PID 1640 wrote to memory of 3016	1640	3963266117746beab6dd5b66696a135a.exe	54
PID 1640 wrote to memory of 3016	1640	3963266117746beab6dd5b66696a135a.exe	54
PID 1640 wrote to memory of 1404	1640	3963266117746beab6dd5b66696a135a.exe	55

C:\Users\Admin\AppData\Local\Temp\3963266117746beab6dd5b66696a135a.exe
"C:\Users\Admin\AppData\Local\Temp\3963266117746beab6dd5b66696a135a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1080
- C:\Windows\Prefetch\lsass.exe
  C:\Windows\Prefetch\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Sets file execution options in registry
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    PID:2856
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3000
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2624
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2580
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:1976
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1892
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:772
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1636
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2856
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    PID:2300
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:980
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:296
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:564
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:572
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:1184
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2184
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3004
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2132
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2068
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1928
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1796
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1816
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3044
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    PID:1488
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1708
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1696
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2412
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2668
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:2724
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2688
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:3064
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2940
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1056
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2684
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:2736
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1888
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1504
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1016
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - Modifies registry key
    PID:888
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2260
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2304
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1672
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2792
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2940
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - Modifies registry key
    PID:684
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2552
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2320
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2908
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1064
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:984
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2848
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:812
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2300
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1424
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1568
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - Modifies registry key
    PID:800
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1500
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:684
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:2916
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1372
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2596
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1656
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1688
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:280
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2472
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2748
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1640
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:3052
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1948
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2492
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2004
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:604
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:868
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:544
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1016
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2092
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:280
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2472
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:560
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2900
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2940
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    PID:944
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:940
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1636
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:924
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1688
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2552
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1828
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:1092
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:604
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:904
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:700
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1632
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2000
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:800
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2236
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - Modifies registry key
    PID:2336
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:944
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2372
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2784
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2272
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:828
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2212
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1676
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2188
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1888
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:980
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1652
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - Modifies registry key
    PID:2420
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2516
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1464
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2000
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2280
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3036
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:1872
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1524
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2592
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2480
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2276
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2432
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2888
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1656
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2220
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2168
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2448
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2884
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1408
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1632
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2860
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:800
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1676
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:3004
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2572
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2492
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    PID:2024
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2444
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2740
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2436
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\REG.exe
    REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\REG.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    - Modifies registry key
    PID:1880
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2916
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2528
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2340
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1624
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2748
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1984
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2276
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:544
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:112
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2888
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2456
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2116
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1664
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2728
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2624
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2604
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1620
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1996
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1336
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2240
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2200
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:916
- C:\Windows\system\FrozenTearz.exe
  C:\Windows\system\FrozenTearz.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:3016
- C:\Windows\inf\Utilman.exe
  C:\Windows\inf\Utilman.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1404
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1248
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:604
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2660
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2284
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:888
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2520
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2572
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:476
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1020
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1336
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:112
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2484
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1096
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2148
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2732
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1768
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2136
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1280
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2444
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2468
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1984
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1540
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2956
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1468
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2260
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1888
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2928
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2208
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2904
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2560
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2464
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2916
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2456
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2128
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1628
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1424
- C:\Windows\Fonts\csrss.exe
  C:\Windows\Fonts\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2796
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1732
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2396
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2460
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2824
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2320
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:896
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:112
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2092
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2320
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2520
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:380
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2564
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    PID:2360
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2900
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1716
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1452
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1460
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1880
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1968
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1912
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1968
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2444
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2320
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:392
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1992
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:892
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2788
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2236
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1588
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1768
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2956
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2292
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2260
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1376
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:3032
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:984
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1976
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1736
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2700
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2024
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1672
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2764
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:896
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2768
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1952
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:604
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2040
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2836
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2068
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2728
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2368
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2560
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2168
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1452
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:752
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2468
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:892
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2760
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1280
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:528
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1992
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2660
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2916
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2528
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1496
- C:\Windows\Web\explorer.exe
  C:\Windows\Web\explorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2960
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1224
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:380
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1988
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1520
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1116
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1640
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1652
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1472
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2516
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:296
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1872
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2004
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1600
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2116
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1088
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:568
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2460
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:3036
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1548
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2340
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1468
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2908
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2828
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:476
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1200
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2836
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:3044
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:2580
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2340
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:684
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:3064
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:1532
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:812
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:560
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:1336
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2948
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2016
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1136
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1520
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:896
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2768
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2556
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:488
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:1816
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2804
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:1708
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:888
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:572
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1712
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2836
- - C:\Windows\system\FrozenTearz.exe
    C:\Windows\system\FrozenTearz.exe
    3⤵
    PID:2328
- - C:\Windows\inf\Utilman.exe
    C:\Windows\inf\Utilman.exe
    3⤵
    PID:2372
- - C:\Windows\Fonts\csrss.exe
    C:\Windows\Fonts\csrss.exe
    3⤵
    PID:2432
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\lsass.exe"
    3⤵
    PID:1616
- - C:\Windows\Prefetch\lsass.exe
    C:\Windows\Prefetch\lsass.exe
    3⤵
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Kilabot.log

Filesize
1KB

MD5
527c8e9f1dc55effbe0a5c62494b5826

SHA1
9f663b03eaf3e1c377520564322599c564bdab3e

SHA256
209a76fad6beb5d3320e0a4b9452b2c12ffb76592bc70e9ebbec659c12ea9e77

SHA512
a87462c566a52eeaf7c0c98deca154262fffd16a5380a460fc43b629c1ed9ef275d9e0d5f7b3a01a724d5e61977f8d2933f8fff6560dbb709465083cd5a2f3f9

Download Submit
C:\Windows\SysWOW64\klab0t32.ocx

Filesize
9B

MD5
832a89609ba54dabee39c0cffa204280

SHA1
bc95f25f477b71417356ffd96d1125f8977bad71

SHA256
ee33e68bc25f56fa6498cac2817b64990d0b66d68e465c3bb239a19730181d26

SHA512
86486585a49fb6adb4983f2ec07f9720610b32fd85cd5f8aba3432df667c5ce1f4942a95c433900fa75318dadea3c857fe8f8562913701edf26bcae41b36c5aa

Download Submit
C:\Windows\inf\Utilman.exe

Filesize
106KB

MD5
3963266117746beab6dd5b66696a135a

SHA1
45e4b3614f5a3b50af94a7951cc820720c57db9f

SHA256
420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25

SHA512
8f11f6c228a3ec6b578fe43405b0e5427cd051642081b91241e5444e3a3b34ee597ff96daf70a20766c56900dffa10e90281cad5f439b6853e5f51fd5977f761

Download Submit
F:\Autorun.inf

Filesize
220B

MD5
6b32e590509461cb9cbbdca9dca6c3f3

SHA1
07a50e1b56bd6ce0085c4834328b501379216656

SHA256
c02da0b1c81bd1646d5f15ada43fedd7773c790f25bf578f5da110f6620ed73c

SHA512
a21f01b1a04e55e1568dde5235aef1a28a36e770d84091545ad8f0a22c93736fc77fc314537ca5f8f745f754890ed40c60aaf5d3278324227e0d173830f7b33c

Download Submit
memory/112-391-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/112-1414-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/296-1082-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/380-466-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/476-309-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/604-194-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/888-219-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/896-388-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1020-315-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1056-540-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1116-514-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1116-502-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1224-471-0x0000000002AC0000-0x0000000002B2A000-memory.dmp

Filesize
424KB

Download
memory/1224-1281-0x0000000003000000-0x000000000306A000-memory.dmp

Filesize
424KB

Download
memory/1224-1072-0x0000000003000000-0x000000000306A000-memory.dmp

Filesize
424KB

Download
memory/1224-373-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1224-197-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1224-1074-0x0000000003000000-0x000000000306A000-memory.dmp

Filesize
424KB

Download
memory/1224-236-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1248-187-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1336-326-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1404-78-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1404-212-0x0000000003430000-0x000000000349A000-memory.dmp

Filesize
424KB

Download
memory/1404-358-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1404-229-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1404-160-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1404-257-0x0000000003430000-0x000000000349A000-memory.dmp

Filesize
424KB

Download
memory/1404-301-0x0000000003430000-0x000000000349A000-memory.dmp

Filesize
424KB

Download
memory/1404-313-0x0000000003430000-0x000000000349A000-memory.dmp

Filesize
424KB

Download
memory/1404-834-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1520-499-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1564-165-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1568-1415-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1636-179-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1636-178-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1640-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1640-38-0x0000000002460000-0x00000000024CA000-memory.dmp

Filesize
424KB

Download
memory/1640-528-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1640-71-0x0000000002460000-0x00000000024CA000-memory.dmp

Filesize
424KB

Download
memory/1640-107-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1640-109-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1640-37-0x0000000002460000-0x00000000024CA000-memory.dmp

Filesize
424KB

Download
memory/1640-66-0x0000000002460000-0x00000000024CA000-memory.dmp

Filesize
424KB

Download
memory/1724-511-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-234-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1796-367-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1816-372-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1872-1088-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1928-364-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1944-169-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1988-1032-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1988-1036-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1988-485-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2004-1090-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2040-1430-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2068-357-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2092-400-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2104-211-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2116-397-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2132-354-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2148-1432-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2284-207-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2300-1376-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-385-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2320-980-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2360-1042-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2396-245-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2404-186-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2460-249-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2468-154-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2468-155-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2484-1422-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2484-394-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2516-1078-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2520-215-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2520-1012-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2552-241-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2572-304-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2592-1048-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2624-1007-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2652-479-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2660-200-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2728-254-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2780-319-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-1030-0x0000000001E00000-0x0000000001E6A000-memory.dmp

Filesize
424KB

Download
memory/2796-1020-0x0000000001E00000-0x0000000001E6A000-memory.dmp

Filesize
424KB

Download
memory/2796-369-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-979-0x0000000001E00000-0x0000000001E6A000-memory.dmp

Filesize
424KB

Download
memory/2796-306-0x0000000001E00000-0x0000000001E6A000-memory.dmp

Filesize
424KB

Download
memory/2796-176-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-231-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2796-1019-0x0000000001E00000-0x0000000001E6A000-memory.dmp

Filesize
424KB

Download
memory/2796-1034-0x0000000001E00000-0x0000000001E6A000-memory.dmp

Filesize
424KB

Download
memory/2796-1027-0x0000000001E00000-0x0000000001E6A000-memory.dmp

Filesize
424KB

Download
memory/2804-322-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2824-260-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2832-1406-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-1037-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-327-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2832-1023-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-1429-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-222-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2832-40-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2832-152-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-958-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-113-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2832-541-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-1006-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-484-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-204-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-1383-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2832-1351-0x0000000002560000-0x00000000025CA000-memory.dmp

Filesize
424KB

Download
memory/2848-1248-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2960-371-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2960-181-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2960-232-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3004-548-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3016-351-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3016-149-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3016-68-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3036-523-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads