420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25

Analysis

max time kernel
51s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3963266117746beab6dd5b66696a135a.exe
Size

106KB
MD5

3963266117746beab6dd5b66696a135a
SHA1

45e4b3614f5a3b50af94a7951cc820720c57db9f
SHA256

420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25
SHA512

8f11f6c228a3ec6b578fe43405b0e5427cd051642081b91241e5444e3a3b34ee597ff96daf70a20766c56900dffa10e90281cad5f439b6853e5f51fd5977f761
SSDEEP

1536:7+qolpTirGvR5knwm8Uq9Q0a7KIV0XelWHlsdGHXFA2T259FTOrSqCYJKEO3n:qq6irEqnwh9Ha3CeMHWGXbuLYJKP3n

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit.exe, C:\\Windows\\System32\\drivers\\etc\\stsystm.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\Fonts\\explorer.exe"	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	REG.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	nvsvc32.exe

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\explore.exe	csrss.exe
File created	C:\Windows\System32\drivers\etc\explore.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\explorer.exe	explore.exe
File opened for modification	C:\Windows\System32\drivers\etc\winlogon.exe	explore.exe
File created	C:\Windows\System32\drivers\etc\winlogon.exe	explore.exe
File opened for modification	C:\Windows\System32\drivers\etc\stsystm.exe	smss.exe
File opened for modification	C:\Windows\System32\drivers\etc\explorer.exe	3963266117746beab6dd5b66696a135a.exe
File created	C:\Windows\SysWOW64\drivers\explorer.exe	explore.exe
File opened for modification	C:\Windows\System32\drivers\etc\smss.exe	kitty.exe
File created	C:\Windows\System32\drivers\etc\smss.exe	kitty.exe
File created	C:\Windows\System32\drivers\etc\stsystm.exe	smss.exe
File created	C:\Windows\System32\drivers\etc\explorer.exe	3963266117746beab6dd5b66696a135a.exe

Sets file execution options in registry 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "regedt32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgs.exe\debugger = "C:\\Windows\\System32\\drivers\\etc\\stsystm.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\debugger = "C:\\Windows\\Web\\explorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "rstrui.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "regedit.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\System32\\drivers\\etc\\stsystm.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\debugger = "C:\\Windows\\Fonts\\explorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\debugger = "C:\\Windows\\Fonts\\explorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "mspaint.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "taskmgr.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\Microsoft.NET\\Framework\\system.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "C:\\Windows\\cursors\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "msconfig.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\debugger = "C:\\Windows\\Fonts\\explorer.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "calc.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "wscript.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgs.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "msmsgs.exe"	lsass.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	lsass.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	lsass.exe

Executes dropped EXE 64 IoCs

pid	Process
2012	csrss.exe
1336	explore.exe
5032	winlogon.exe
3884	svchost.exe
3436	lsass.exe
3388	kitty.exe
1572	winlogon.exe
3568	smss.exe
652	lsass.exe
1220	csrss.exe
2624	stsystm.exe
4204	REG.exe
3896	explorer.exe
5176	system.exe
5256	system.exe
5336	explorer.exe
5344	lsass.exe
5308	Conhost.exe
5444	explorer.exe
5484	lsass.exe
5512	lsass.exe
5544	system.exe
5552	REG.exe
5660	csrss.exe
5672	lsass.exe
5724	explorer.exe
5760	csrss.exe
5816	stsystm.exe
5832	explorer.exe
5880	csrss.exe
5956	explorer.exe
6004	stsystm.exe
6040	system.exe
1804	stsystm.exe
5148	explorer.exe
6048	lsass.exe
5204	explorer.exe
1808	nvsvc32.exe
3500	system.exe
5380	stsystm.exe
320	explorer.exe
496	lsass.exe
5256	system.exe
5368	explorer.exe
5436	explorer.exe
4468	system.exe
4344	explorer.exe
5304	lsass.exe
3252	explorer.exe
2096	explorer.exe
5308	Conhost.exe
440	csrss.exe
2916	csrss.exe
2052	REG.exe
5524	system.exe
3488	stsystm.exe
5528	csrss.exe
5500	stsystm.exe
5840	stsystm.exe
5892	explorer.exe
5932	Conhost.exe
5824	REG.exe
5812	stsystm.exe
6120	csrss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2948-0-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/files/0x000b00000002301c-9.dat	upx
behavioral2/memory/5032-69-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2948-103-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/files/0x0006000000023138-120.dat	upx
behavioral2/memory/1572-147-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2012-224-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1336-233-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5032-238-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3884-245-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4204-247-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3436-251-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3388-265-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5308-275-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5344-273-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1572-277-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5444-293-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3568-288-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5484-299-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5660-316-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5552-310-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1220-303-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2624-305-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/652-296-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5336-272-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3896-322-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5256-264-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5724-328-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5832-336-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5880-371-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5512-386-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5544-376-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5336-368-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5672-335-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5176-333-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5956-391-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1808-399-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1804-400-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/6040-402-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/6048-406-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5148-405-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1220-407-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3500-418-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5816-419-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/320-430-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5256-434-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5368-433-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5380-429-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/496-424-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5436-436-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/6004-435-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5204-444-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5304-457-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5760-412-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3252-459-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/652-460-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/440-458-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5308-464-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2096-461-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2916-472-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3488-467-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/2052-469-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5524-468-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5840-478-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stsystm = "C:\\Windows\\Web\\explorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce = "C:\\Windows\\Microsoft.NET\\Framework\\system.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stsystm = "C:\\Users\\Admin\\AppData\\Local\\csrss.exe"	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Autorun.inf	lsass.exe
File opened for modification	C:\Autorun.inf	lsass.exe
File created	F:\Autorun.inf	lsass.exe
File opened for modification	F:\Autorun.inf	lsass.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	winlogon.exe
File created	C:\Windows\SysWOW64\config\kitty.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	stsystm.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	system.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	system.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	nvsvc32.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File opened for modification	C:\Windows\SysWOW64\Restore\sysconfig.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	system.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	smss.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	system.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explorer.exe
File created	C:\Windows\SysWOW64\klab0t32.ocx	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\config\system.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	kitty.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	smss.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	system.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	explore.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	stsystm.exe
File opened for modification	C:\Windows\SysWOW64\config\kitty.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	system.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File created	C:\Windows\SysWOW64\Restore\sysconfig.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	winDLL.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	lsass.exe
File created	C:\Windows\SysWOW64\config\system.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	stsystm.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\klab0t32.ocx	system.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\config\smss.exe	explore.exe
File opened for modification	C:\Windows\Help\svchost.exe	winlogon.exe
File opened for modification	C:\Windows\Prefetch\explorer.exe	kitty.exe
File created	C:\Windows\Web\explorer.exe	winlogon.exe
File opened for modification	C:\Windows\Prefetch\taskmgr.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\Java\invader.exe	csrss.exe
File opened for modification	C:\Windows\Prefetch\system.exe	csrss.exe
File created	C:\Windows\config\svchost.exe	csrss.exe
File created	C:\Windows\Help\svchost.exe	svchost.exe
File created	C:\Windows\Prefetch\taskmgr.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\msagent\Utilman.exe	winlogon.exe
File created	C:\Windows\msagent\lsass.exe	svchost.exe
File created	C:\Windows\Prefetch\lsass.exe	svchost.exe
File opened for modification	C:\Windows\Web\regidt32.exe	kitty.exe
File created	C:\Windows\Prefetch\system.exe	csrss.exe
File opened for modification	C:\Windows\config\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\system\nvsvc32.exe	kitty.exe
File created	C:\Windows\Fonts\winDLL.exe	winlogon.exe
File opened for modification	C:\Windows\Web\csrss.exe	3963266117746beab6dd5b66696a135a.exe
File created	C:\Windows\Web\csrss.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\config\svchost.exe	csrss.exe
File created	C:\Windows\Help\svchost.exe	winlogon.exe
File opened for modification	C:\Windows\inf\system.exe	svchost.exe
File created	C:\Windows\system\nvsvc32.exe	kitty.exe
File opened for modification	C:\Windows\Fonts\services.exe	winlogon.exe
File created	C:\Windows\cursors\lsass.exe	smss.exe
File created	C:\Windows\msagent\csrss.exe	csrss.exe
File created	C:\Windows\msagent\Utilman.exe	winlogon.exe
File created	C:\Windows\config\svchost.exe	lsass.exe
File opened for modification	C:\Windows\Web\explorer.exe	smss.exe
File opened for modification	C:\Windows\cursors\lsass.exe	smss.exe
File created	C:\Windows\msagent\csrss.exe	3963266117746beab6dd5b66696a135a.exe
File opened for modification	C:\Windows\msagent\lsass.exe	svchost.exe
File created	C:\Windows\inf\system.exe	svchost.exe
File created	C:\Windows\cursors\svchost.exe	lsass.exe
File opened for modification	C:\Windows\msagent\csrss.exe	lsass.exe
File opened for modification	C:\Windows\inf\Executioner.exe	winlogon.exe
File opened for modification	C:\Windows\msagent\csrss.exe	3963266117746beab6dd5b66696a135a.exe
File created	C:\Windows\Prefetch\Templates.exe	explore.exe
File created	C:\Windows\system\svchost.exe	winlogon.exe
File opened for modification	C:\Windows\msagent\services.exe	winlogon.exe
File opened for modification	C:\Windows\Fonts\winDLL.exe	winlogon.exe
File created	C:\Windows\Fonts\services.exe	winlogon.exe
File opened for modification	C:\Windows\Help\explorer.exe	svchost.exe
File created	C:\Windows\Prefetch\explorer.exe	kitty.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\system.exe	smss.exe
File created	C:\Windows\Java\invader.exe	csrss.exe
File created	C:\Windows\config\services.exe	explore.exe
File opened for modification	C:\Windows\Prefetch\lsass.exe	svchost.exe
File opened for modification	C:\Windows\Web\explorer.exe	winlogon.exe
File created	C:\Windows\Help\csrss.exe	csrss.exe
File opened for modification	C:\Windows\config\smss.exe	explore.exe
File opened for modification	C:\Windows\Prefetch\Templates.exe	explore.exe
File opened for modification	C:\Windows\system\services.exe	winlogon.exe
File created	C:\Windows\msagent\services.exe	winlogon.exe
File created	C:\Windows\config\System.exe	svchost.exe
File created	C:\Windows\msagent\csrss.exe	lsass.exe
File created	C:\Windows\Web\regidt32.exe	kitty.exe
File created	C:\Windows\msagent\smss.exe	winlogon.exe
File opened for modification	C:\Windows\cursors\csrss.exe	winlogon.exe
File created	C:\Windows\Help\explorer.exe	svchost.exe
File opened for modification	C:\Windows\cursors\svchost.exe	lsass.exe
File opened for modification	C:\Windows\msagent\csrss.exe	kitty.exe
File created	C:\Windows\inf\Executioner.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Mandirigma - Tear[A]Door /DoomRiderz"	lsass.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2320	REG.exe
5944	REG.exe
4328	REG.exe
2244	REG.exe
5168	REG.exe
5732	REG.exe
5836	REG.exe
5608	REG.exe
4692	REG.exe
3908	REG.exe
6024	REG.exe
4484	REG.exe
3732	REG.exe
912	REG.exe
556	REG.exe
6140	REG.exe
3672	REG.exe
552	REG.exe
1808	REG.exe
3932	REG.exe
4684	REG.exe
5824	REG.exe
2052	REG.exe
728	REG.exe
3116	REG.exe
5260	REG.exe
3672	REG.exe
3468	REG.exe
2648	REG.exe
1564	REG.exe
4044	REG.exe
2648	REG.exe
5552	REG.exe
5420	REG.exe
2224	REG.exe
5612	REG.exe
4696	REG.exe
4660	REG.exe
5824	REG.exe
1832	REG.exe
4204	REG.exe
3320	REG.exe
4692	REG.exe
2304	REG.exe
6056	REG.exe
568	REG.exe
1360	REG.exe
6072	REG.exe
5380	REG.exe
5380	REG.exe
5652	REG.exe
1568	REG.exe
3664	REG.exe
208	REG.exe
4468	REG.exe
5400	REG.exe
4568	REG.exe
5536	REG.exe
1592	REG.exe
2724	REG.exe
1480	REG.exe
4520	REG.exe
4832	REG.exe
5732	REG.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
5336	explorer.exe
652	lsass.exe
3896	explorer.exe
5544	system.exe
5760	csrss.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3540	rundll32.exe
3952	rundll32.exe
1444	rundll32.exe
3812	rundll32.exe
3312	rundll32.exe
492	rundll32.exe
3824	rundll32.exe
1552	rundll32.exe
1476	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2948	3963266117746beab6dd5b66696a135a.exe
2012	csrss.exe
1336	explore.exe
5032	winlogon.exe
3884	svchost.exe
3436	lsass.exe
3388	kitty.exe
1572	winlogon.exe
3568	smss.exe
652	lsass.exe
1220	csrss.exe
2624	stsystm.exe
4204	REG.exe
3896	explorer.exe
5176	system.exe
5256	system.exe
5344	lsass.exe
5308	Conhost.exe
5336	explorer.exe
5444	explorer.exe
5512	lsass.exe
5484	lsass.exe
5544	system.exe
5552	REG.exe
5660	csrss.exe
5724	explorer.exe
5760	csrss.exe
5672	lsass.exe
5832	explorer.exe
5880	csrss.exe
5816	stsystm.exe
5956	explorer.exe
1808	nvsvc32.exe
1804	stsystm.exe
6004	stsystm.exe
5204	explorer.exe
6040	system.exe
6048	lsass.exe
5148	explorer.exe
3500	system.exe
5380	stsystm.exe
496	lsass.exe
320	explorer.exe
5256	system.exe
5368	explorer.exe
5436	explorer.exe
4468	system.exe
4344	explorer.exe
5304	lsass.exe
440	csrss.exe
3252	explorer.exe
2096	explorer.exe
2052	REG.exe
3488	stsystm.exe
5308	Conhost.exe
2916	csrss.exe
5524	system.exe
5528	csrss.exe
5840	stsystm.exe
5500	stsystm.exe
5892	explorer.exe
5812	stsystm.exe
5824	REG.exe
5932	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3540	2948	3963266117746beab6dd5b66696a135a.exe	91
PID 2948 wrote to memory of 3540	2948	3963266117746beab6dd5b66696a135a.exe	91
PID 2948 wrote to memory of 3540	2948	3963266117746beab6dd5b66696a135a.exe	91
PID 2948 wrote to memory of 2012	2948	3963266117746beab6dd5b66696a135a.exe	92
PID 2948 wrote to memory of 2012	2948	3963266117746beab6dd5b66696a135a.exe	92
PID 2948 wrote to memory of 2012	2948	3963266117746beab6dd5b66696a135a.exe	92
PID 2012 wrote to memory of 3952	2012	csrss.exe	93
PID 2012 wrote to memory of 3952	2012	csrss.exe	93
PID 2012 wrote to memory of 3952	2012	csrss.exe	93
PID 2012 wrote to memory of 1336	2012	csrss.exe	94
PID 2012 wrote to memory of 1336	2012	csrss.exe	94
PID 2012 wrote to memory of 1336	2012	csrss.exe	94
PID 1336 wrote to memory of 1444	1336	explore.exe	95
PID 1336 wrote to memory of 1444	1336	explore.exe	95
PID 1336 wrote to memory of 1444	1336	explore.exe	95
PID 1336 wrote to memory of 5032	1336	explore.exe	96
PID 1336 wrote to memory of 5032	1336	explore.exe	96
PID 1336 wrote to memory of 5032	1336	explore.exe	96
PID 5032 wrote to memory of 3812	5032	winlogon.exe	97
PID 5032 wrote to memory of 3812	5032	winlogon.exe	97
PID 5032 wrote to memory of 3812	5032	winlogon.exe	97
PID 5032 wrote to memory of 3884	5032	winlogon.exe	98
PID 5032 wrote to memory of 3884	5032	winlogon.exe	98
PID 5032 wrote to memory of 3884	5032	winlogon.exe	98
PID 3884 wrote to memory of 3312	3884	svchost.exe	99
PID 3884 wrote to memory of 3312	3884	svchost.exe	99
PID 3884 wrote to memory of 3312	3884	svchost.exe	99
PID 3884 wrote to memory of 3436	3884	svchost.exe	100
PID 3884 wrote to memory of 3436	3884	svchost.exe	100
PID 3884 wrote to memory of 3436	3884	svchost.exe	100
PID 3436 wrote to memory of 492	3436	lsass.exe	101
PID 3436 wrote to memory of 492	3436	lsass.exe	101
PID 3436 wrote to memory of 492	3436	lsass.exe	101
PID 3436 wrote to memory of 3388	3436	lsass.exe	102
PID 3436 wrote to memory of 3388	3436	lsass.exe	102
PID 3436 wrote to memory of 3388	3436	lsass.exe	102
PID 3388 wrote to memory of 3824	3388	kitty.exe	103
PID 3388 wrote to memory of 3824	3388	kitty.exe	103
PID 3388 wrote to memory of 3824	3388	kitty.exe	103
PID 3388 wrote to memory of 1572	3388	kitty.exe	104
PID 3388 wrote to memory of 1572	3388	kitty.exe	104
PID 3388 wrote to memory of 1572	3388	kitty.exe	104
PID 1572 wrote to memory of 1552	1572	winlogon.exe	105
PID 1572 wrote to memory of 1552	1572	winlogon.exe	105
PID 1572 wrote to memory of 1552	1572	winlogon.exe	105
PID 1572 wrote to memory of 3568	1572	winlogon.exe	491
PID 1572 wrote to memory of 3568	1572	winlogon.exe	491
PID 1572 wrote to memory of 3568	1572	winlogon.exe	491
PID 3568 wrote to memory of 1476	3568	smss.exe	107
PID 3568 wrote to memory of 1476	3568	smss.exe	107
PID 3568 wrote to memory of 1476	3568	smss.exe	107
PID 3568 wrote to memory of 652	3568	smss.exe	108
PID 3568 wrote to memory of 652	3568	smss.exe	108
PID 3568 wrote to memory of 652	3568	smss.exe	108
PID 652 wrote to memory of 2648	652	lsass.exe	543
PID 652 wrote to memory of 2648	652	lsass.exe	543
PID 652 wrote to memory of 2648	652	lsass.exe	543
PID 652 wrote to memory of 1808	652	lsass.exe	256
PID 652 wrote to memory of 1808	652	lsass.exe	256
PID 652 wrote to memory of 1808	652	lsass.exe	256
PID 652 wrote to memory of 568	652	lsass.exe	370
PID 652 wrote to memory of 568	652	lsass.exe	370
PID 652 wrote to memory of 568	652	lsass.exe	370
PID 652 wrote to memory of 3664	652	lsass.exe	115

C:\Users\Admin\AppData\Local\Temp\3963266117746beab6dd5b66696a135a.exe
"C:\Users\Admin\AppData\Local\Temp\3963266117746beab6dd5b66696a135a.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3540
- C:\Windows\Web\csrss.exe
  C:\Windows\Web\csrss.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:3952
- - C:\Windows\System32\drivers\etc\explore.exe
    C:\Windows\System32\drivers\etc\explore.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:1444
  - - C:\Windows\System32\drivers\etc\winlogon.exe
      C:\Windows\System32\drivers\etc\winlogon.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3812
    - - C:\Windows\Help\svchost.exe
        
        C:\Windows\Help\svchost.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3884
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3312
      - C:\Windows\Prefetch\lsass.exe
        
        C:\Windows\Prefetch\lsass.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:492
        
        C:\Windows\SysWOW64\config\kitty.exe
        
        C:\Windows\System32\config\kitty.exe
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
        8⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1552
        
        C:\Windows\Fonts\services.exe
        
        C:\Windows\Fonts\services.exe
        9⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1476
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        10⤵
        Modifies WinLogon for persistence
        Sets file execution options in registry
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5932
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:568
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:3664
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        11⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4660
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1360
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
        11⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        12⤵
        
        PID:4608
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        12⤵
        
        PID:5556
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        12⤵
        
        PID:5552
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        12⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:728
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4520
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:208
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5148
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5524
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5256
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:4208
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:6104
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1884
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:4528
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5904
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5508
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:4984
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:6072
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5380
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
        11⤵
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5608
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5260
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
        11⤵
        Executes dropped EXE
        Modifies registry key
        Suspicious use of SetWindowsHookEx
        
        PID:4204
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5168
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4468
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        
        PID:5540
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5820
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4664
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:6024
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5024
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:3128
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:2492
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5612
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:3808
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
        11⤵
        
        PID:5532
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5380
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5732
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
        11⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        11⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:2648
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5944
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:3320
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:3908
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:6024
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:4608
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5740
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5160
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6004
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5832
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5472
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:6056
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5652
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
        11⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5536
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
        11⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:6140
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:3468
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4484
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
        11⤵
        Executes dropped EXE
        Modifies registry key
        Suspicious use of SetWindowsHookEx
        
        PID:5552
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1564
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:6056
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5572
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5756
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4284
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:4424
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5672
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5816
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1508
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4496
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5476
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5512
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5008
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4832
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
        11⤵
        Modifies registry key
        
        PID:3672
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4328
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5836
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:3732
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:2724
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        11⤵
        Executes dropped EXE
        Modifies registry key
        Suspicious use of SetWindowsHookEx
        
        PID:5824
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5732
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5724
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:1816
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5244
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5852
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5280
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:2968
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:636
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5608
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4044
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5380
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
        11⤵
        Executes dropped EXE
        Modifies registry key
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:2244
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
        11⤵
        Modifies registry key
        
        PID:4692
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f
        11⤵
        
        PID:916
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        11⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5308
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:5612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:552
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\REG.exe
        
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:1832
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1188
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4484
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        Modifies visiblity of hidden/system files in Explorer
        Drops file in System32 directory
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:568
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:4996
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:3236
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5232
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5332
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:4984
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:2568
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:6120
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:948
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:1648
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5624
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:2796
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:3792
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5812
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4720
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:1956
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5412
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:6012
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5248
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:2920
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5632
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:3356
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3896
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:440
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5812
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:2132
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5504
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5332
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5908
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5848
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5740
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:568
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5840
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5556
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5008
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:440
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:6048
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5440
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:6124
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5008
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5252
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5716
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:4164
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4212
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5520
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:1944
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3488
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:3128
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4696
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:3740
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:2444
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:3672
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:3932
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5204
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:4880
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:3732
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5476
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1956
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:2380
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:4964
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:6000
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:2960
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1804
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:6104
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:3148
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:1592
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:2328
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:1080
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:1556
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:3180
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5336
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:440
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5784
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:6064
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5464
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5304
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:3440
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:3208
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:3792
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:2920
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5308
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5920
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:3916
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5296
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:2012
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5304
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5476
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5368
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5688
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5792
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:3768
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:216
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5248
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:4184
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:6108
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:2976
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5248
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:2632
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:496
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:4584
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1544
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5852
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:3560
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:312
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:4944
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:3124
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:1828
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:2276
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:1752
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:876
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:4724
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5588
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:4892
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5544
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:1220
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5276
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5324
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5716
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:4584
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:3488
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:6104
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:6108
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5472
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5112
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1380
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5160
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:3392
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:5760
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:2004
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5588
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5148
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5384
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:1944
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:5576
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5664
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5996
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:1204
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:544
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5388
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5308
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        Executes dropped EXE
        
        PID:6120
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:4872
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:4724
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5944
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:6128
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5528
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5412
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:4328
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:4984
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5416
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:1648
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:2492
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5248
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:1836
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5716
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:956
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:1220
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:2012
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:3220
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:4164
        
        C:\Windows\inf\Executioner.exe
        
        C:\Windows\inf\Executioner.exe
        10⤵
        
        PID:6004
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        11⤵
        
        PID:320
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:5308
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:5932
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:5260
        
        C:\Windows\Fonts\winDLL.exe
        
        C:\Windows\Fonts\winDLL.exe
        10⤵
        
        PID:6108
        
        C:\Windows\cursors\csrss.exe
        
        C:\Windows\cursors\csrss.exe
        10⤵
        
        PID:5920
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        11⤵
        
        PID:920
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        11⤵
        
        PID:1092
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        11⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        11⤵
        
        PID:5580
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        11⤵
        
        PID:1380
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        10⤵
        
        PID:680
        
        C:\Windows\Fonts\services.exe
        
        C:\Windows\Fonts\services.exe
        10⤵
        
        PID:4400
        
        C:\Windows\inf\Executioner.exe
        
        C:\Windows\inf\Executioner.exe
        9⤵
        
        PID:5528
        
        C:\Windows\Fonts\winDLL.exe
        
        C:\Windows\Fonts\winDLL.exe
        9⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        10⤵
        
        PID:3772
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        10⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        10⤵
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        10⤵
        
        PID:6140
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        10⤵
        
        PID:1464
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        10⤵
        
        PID:2920
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        9⤵
        
        PID:5916
        
        C:\Windows\cursors\csrss.exe
        
        C:\Windows\cursors\csrss.exe
        9⤵
        
        PID:6116
        
        C:\Windows\Web\regidt32.exe
        
        C:\Windows\Web\regidt32.exe
        9⤵
        
        PID:5868
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        10⤵
        
        PID:4608
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        10⤵
        
        PID:5320
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        10⤵
        
        PID:1836
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        10⤵
        
        PID:6128
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        10⤵
        
        PID:496
        
        C:\Windows\system\nvsvc32.exe
        
        C:\Windows\system\nvsvc32.exe
        9⤵
        
        PID:2244
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        10⤵
        
        PID:2844
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        10⤵
        
        PID:6092
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        10⤵
        
        PID:3392
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        10⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        10⤵
        
        PID:4724
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5484
        
        C:\Windows\Prefetch\explorer.exe
        
        C:\Windows\Prefetch\explorer.exe
        9⤵
        
        PID:2388
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        10⤵
        
        PID:5252
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        10⤵
        
        PID:3452
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        10⤵
        
        PID:5188
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        10⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        10⤵
        
        PID:216
        
        C:\Windows\System32\drivers\etc\smss.exe
        
        C:\Windows\System32\drivers\etc\smss.exe
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        10⤵
        
        PID:4964
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        10⤵
        
        PID:5364
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        10⤵
        
        PID:4996
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        10⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        10⤵
        
        PID:5132
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        10⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe"
        9⤵
        
        PID:6072
        
        C:\Windows\Web\regidt32.exe
        
        C:\Windows\Web\regidt32.exe
        8⤵
        
        PID:4344
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        9⤵
        
        PID:6056
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        9⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        9⤵
        
        PID:1956
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        9⤵
        
        PID:5528
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5524
        
        C:\Windows\system\nvsvc32.exe
        
        C:\Windows\system\nvsvc32.exe
        8⤵
        Disables cmd.exe use via registry modification
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        9⤵
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        9⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        9⤵
        
        PID:2972
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        9⤵
        
        PID:5584
        
        C:\Windows\Prefetch\explorer.exe
        
        C:\Windows\Prefetch\explorer.exe
        8⤵
        
        PID:3532
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        9⤵
        
        PID:5932
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        9⤵
        
        PID:6088
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        9⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        9⤵
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        9⤵
        
        PID:2968
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        9⤵
        
        PID:6124
        
        C:\Windows\System32\drivers\etc\smss.exe
        
        C:\Windows\System32\drivers\etc\smss.exe
        8⤵
        
        PID:4048
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        9⤵
        
        PID:2824
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        9⤵
        
        PID:3320
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        9⤵
        
        PID:5716
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        9⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        9⤵
        
        PID:5128
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        9⤵
        
        PID:728
        
        C:\Windows\SysWOW64\config\kitty.exe
        
        C:\Windows\System32\config\kitty.exe
        8⤵
        
        PID:5904
        
        C:\Windows\cursors\svchost.exe
        
        C:\Windows\cursors\svchost.exe
        8⤵
        
        PID:5416
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        9⤵
        
        PID:2844
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        9⤵
        
        PID:5140
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        9⤵
        
        PID:828
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        9⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        9⤵
        
        PID:1464
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        9⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe"
        8⤵
        
        PID:5512
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        9⤵
        
        PID:3216
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        9⤵
        
        PID:3432
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        9⤵
        
        PID:4948
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        9⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        9⤵
        
        PID:5820
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        9⤵
        
        PID:6052
        
        C:\Windows\cursors\svchost.exe
        
        C:\Windows\cursors\svchost.exe
        7⤵
        
        PID:5204
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        8⤵
        
        PID:496
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5892
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        8⤵
        
        PID:568
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        8⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        8⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe"
        7⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        8⤵
        
        PID:5564
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        8⤵
        
        PID:2492
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        8⤵
        
        PID:5136
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        8⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        8⤵
        
        PID:3488
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        8⤵
        
        PID:432
        
        C:\Windows\Help\explorer.exe
        
        C:\Windows\Help\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        8⤵
        
        PID:1844
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        8⤵
        
        PID:5496
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        8⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        8⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        8⤵
        
        PID:5996
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        8⤵
        
        PID:6140
        
        C:\Windows\inf\system.exe
        
        C:\Windows\inf\system.exe
        7⤵
        
        PID:816
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        8⤵
        
        PID:1576
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        8⤵
        
        PID:6124
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        8⤵
        
        PID:1296
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        8⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        8⤵
        
        PID:5896
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        8⤵
        
        PID:4696
        
        C:\Windows\Help\svchost.exe
        
        C:\Windows\Help\svchost.exe
        7⤵
        
        PID:5116
        
        C:\Windows\Prefetch\lsass.exe
        
        C:\Windows\Prefetch\lsass.exe
        7⤵
        
        PID:4068
      - C:\Windows\Help\explorer.exe
        
        C:\Windows\Help\explorer.exe
        6⤵
        
        PID:5816
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        7⤵
        
        PID:5380
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        7⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        7⤵
        
        PID:2900
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        7⤵
        
        PID:5292
      - C:\Windows\inf\system.exe
        
        C:\Windows\inf\system.exe
        6⤵
        
        PID:5672
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        7⤵
        
        PID:5724
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        7⤵
        
        PID:5848
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        7⤵
        
        PID:5608
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        7⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        7⤵
        
        PID:2940
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        7⤵
        
        PID:1464
      - C:\Windows\Help\svchost.exe
        
        C:\Windows\Help\svchost.exe
        6⤵
        
        PID:5952
      - C:\Windows\system\svchost.exe
        
        C:\Windows\system\svchost.exe
        6⤵
        
        PID:5136
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        7⤵
        
        PID:2908
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        7⤵
        
        PID:5520
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        7⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5660
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        7⤵
        
        PID:5464
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        7⤵
        
        PID:3672
      - C:\Windows\system\services.exe
        
        C:\Windows\system\services.exe
        6⤵
        
        PID:5636
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5812
        
        C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        7⤵
        
        PID:5348
        
        C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        7⤵
        
        PID:3396
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        7⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        7⤵
        
        PID:4208
        
        C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5344
      - C:\Windows\Help\svchost.exe
        
        C:\Windows\Help\svchost.exe
        6⤵
        
        PID:5624
    - - C:\Windows\system\svchost.exe
        
        C:\Windows\system\svchost.exe
        5⤵
        
        PID:5512
      - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        6⤵
        
        PID:6048
      - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        6⤵
        
        PID:2916
      - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        6⤵
        
        PID:5368
      - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        6⤵
        
        PID:6120
      - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        6⤵
        
        PID:2908
    - - C:\Windows\system\services.exe
        
        C:\Windows\system\services.exe
        5⤵
        
        PID:3932
      - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        6⤵
        
        PID:5728
      - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        6⤵
        
        PID:5380
    - - C:\Windows\Prefetch\Templates.exe
        
        C:\Windows\Prefetch\Templates.exe
        5⤵
        
        PID:6048
      - C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        6⤵
        
        PID:5388
      - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        6⤵
        
        PID:5996
      - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        6⤵
        
        PID:496
      - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        6⤵
        
        PID:5420
      - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        6⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        6⤵
        
        PID:5484
    - - C:\Windows\Prefetch\system.exe
        
        C:\Windows\Prefetch\system.exe
        5⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\drivers\explorer.exe
        
        C:\Windows\System32\drivers\explorer.exe
        5⤵
        
        PID:5248
      - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        6⤵
        
        PID:3440
      - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        6⤵
        
        PID:208
      - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        6⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        6⤵
        
        PID:3068
      - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        6⤵
        
        PID:2052
    - - C:\Windows\System32\drivers\etc\winlogon.exe
        
        C:\Windows\System32\drivers\etc\winlogon.exe
        5⤵
        
        PID:3220
  - - C:\Windows\Prefetch\Templates.exe
      C:\Windows\Prefetch\Templates.exe
      4⤵
      PID:5344
    - - C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        5⤵
        
        PID:5484
    - - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        5⤵
        
        PID:5724
    - - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5956
    - - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3500
    - - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        5⤵
        
        PID:5304
    - - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        5⤵
        
        PID:5840
  - - C:\Windows\Prefetch\system.exe
      C:\Windows\Prefetch\system.exe
      4⤵
      PID:5372
    - - C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        5⤵
        
        PID:5476
    - - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        5⤵
        
        PID:4684
    - - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        5⤵
        
        PID:3432
    - - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        5⤵
        
        PID:5476
    - - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        5⤵
        
        PID:5008
    - - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        5⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\drivers\explorer.exe
      C:\Windows\System32\drivers\explorer.exe
      4⤵
      Drops file in System32 directory
      PID:1392
    - - C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        5⤵
        
        PID:4444
    - - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        5⤵
        
        PID:1416
    - - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        5⤵
        
        PID:5308
    - - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        5⤵
        
        PID:5816
    - - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        5⤵
        
        PID:5608
    - - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        5⤵
        
        PID:4164
  - - C:\Windows\System32\drivers\etc\explore.exe
      C:\Windows\System32\drivers\etc\explore.exe
      4⤵
      PID:4148
  - - C:\Windows\Prefetch\system.exe
      C:\Windows\Prefetch\system.exe
      4⤵
      PID:6060
    - - C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        5⤵
        
        PID:432
    - - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        5⤵
        
        PID:5324
    - - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        5⤵
        
        PID:5792
    - - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        5⤵
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        5⤵
        
        PID:5740
    - - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        5⤵
        
        PID:5752
  - - C:\Windows\Help\csrss.exe
      C:\Windows\Help\csrss.exe
      4⤵
      PID:3204
    - - C:\Windows\System32\drivers\etc\stsystm.exe
        
        C:\Windows\System32\drivers\etc\stsystm.exe
        5⤵
        
        PID:1956
    - - C:\Windows\Fonts\explorer.exe
        
        C:\Windows\Fonts\explorer.exe
        5⤵
        
        PID:5540
    - - C:\Windows\Web\explorer.exe
        
        C:\Windows\Web\explorer.exe
        5⤵
        
        PID:4984
    - - C:\Windows\Microsoft.NET\Framework\system.exe
        
        C:\Windows\Microsoft.NET\Framework\system.exe
        5⤵
        
        PID:2792
    - - C:\Users\Admin\AppData\Local\csrss.exe
        
        C:\Users\Admin\AppData\Local\csrss.exe
        5⤵
        
        PID:208
    - - C:\Windows\cursors\lsass.exe
        
        C:\Windows\cursors\lsass.exe
        5⤵
        
        PID:4664
- - C:\Windows\Prefetch\system.exe
    C:\Windows\Prefetch\system.exe
    3⤵
    PID:5176
  - - C:\Windows\System32\drivers\etc\stsystm.exe
      C:\Windows\System32\drivers\etc\stsystm.exe
      4⤵
      PID:5308
  - - C:\Windows\Fonts\explorer.exe
      C:\Windows\Fonts\explorer.exe
      4⤵
      PID:5552
  - - C:\Windows\Web\explorer.exe
      C:\Windows\Web\explorer.exe
      4⤵
      PID:5832
  - - C:\Windows\Microsoft.NET\Framework\system.exe
      C:\Windows\Microsoft.NET\Framework\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6040
  - - C:\Users\Admin\AppData\Local\csrss.exe
      C:\Users\Admin\AppData\Local\csrss.exe
      4⤵
      PID:5436
  - - C:\Windows\cursors\lsass.exe
      C:\Windows\cursors\lsass.exe
      4⤵
      PID:2052
- - C:\Windows\Help\csrss.exe
    C:\Windows\Help\csrss.exe
    3⤵
    PID:4824
  - - C:\Windows\System32\drivers\etc\stsystm.exe
      C:\Windows\System32\drivers\etc\stsystm.exe
      4⤵
      PID:4036
  - - C:\Windows\Web\explorer.exe
      C:\Windows\Web\explorer.exe
      4⤵
      PID:5352
  - - C:\Windows\cursors\lsass.exe
      C:\Windows\cursors\lsass.exe
      4⤵
      PID:5552
  - - C:\Users\Admin\AppData\Local\csrss.exe
      C:\Users\Admin\AppData\Local\csrss.exe
      4⤵
      PID:5652
  - - C:\Windows\Microsoft.NET\Framework\system.exe
      C:\Windows\Microsoft.NET\Framework\system.exe
      4⤵
      PID:3892
  - - C:\Windows\Fonts\explorer.exe
      C:\Windows\Fonts\explorer.exe
      4⤵
      PID:784
- - C:\Windows\cursors\lsass.exe
    C:\Windows\cursors\lsass.exe C:\Windows\Prefetch\taskmgr.exe
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\Restore\sysconfig.exe
    C:\Windows\System32\Restore\sysconfig.exe
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\config\system.exe
    C:\Windows\System32\config\system.exe
    3⤵
    PID:4892
- - C:\Windows\System32\drivers\etc\explorer.exe
    C:\Windows\System32\drivers\etc\explorer.exe
    3⤵
    PID:6044
  - - C:\Windows\System32\drivers\etc\stsystm.exe
      C:\Windows\System32\drivers\etc\stsystm.exe
      4⤵
      PID:3052
  - - C:\Windows\Fonts\explorer.exe
      C:\Windows\Fonts\explorer.exe
      4⤵
      PID:5792
  - - C:\Windows\Web\explorer.exe
      C:\Windows\Web\explorer.exe
      4⤵
      PID:5324
  - - C:\Windows\Microsoft.NET\Framework\system.exe
      C:\Windows\Microsoft.NET\Framework\system.exe
      4⤵
      PID:5836
  - - C:\Users\Admin\AppData\Local\csrss.exe
      C:\Users\Admin\AppData\Local\csrss.exe
      4⤵
      PID:5264
  - - C:\Windows\cursors\lsass.exe
      C:\Windows\cursors\lsass.exe
      4⤵
      PID:5104
- - C:\Windows\Web\csrss.exe
    C:\Windows\Web\csrss.exe
    3⤵
    PID:5128
- C:\Windows\Prefetch\taskmgr.exe
  C:\Windows\Prefetch\taskmgr.exe
  2⤵
  PID:1220
- - C:\Windows\System32\drivers\etc\stsystm.exe
    C:\Windows\System32\drivers\etc\stsystm.exe
    3⤵
    PID:4204
- - C:\Windows\Fonts\explorer.exe
    C:\Windows\Fonts\explorer.exe
    3⤵
    PID:5256
- - C:\Windows\Microsoft.NET\Framework\system.exe
    C:\Windows\Microsoft.NET\Framework\system.exe
    3⤵
    PID:5660
- - C:\Users\Admin\AppData\Local\csrss.exe
    C:\Users\Admin\AppData\Local\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5880
- - C:\Windows\cursors\lsass.exe
    C:\Windows\cursors\lsass.exe
    3⤵
    PID:1808
  - - C:\Windows\Fonts\explorer.exe
      C:\Windows\Fonts\explorer.exe
      4⤵
      PID:5188
  - - C:\Windows\System32\drivers\etc\stsystm.exe
      C:\Windows\System32\drivers\etc\stsystm.exe
      4⤵
      PID:5820
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5444
- C:\Windows\SysWOW64\Restore\sysconfig.exe
  C:\Windows\System32\Restore\sysconfig.exe
  2⤵
  PID:4468
- - C:\Windows\Fonts\explorer.exe
    C:\Windows\Fonts\explorer.exe
    3⤵
    PID:6012
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:3244
- - C:\Users\Admin\AppData\Local\csrss.exe
    C:\Users\Admin\AppData\Local\csrss.exe
    3⤵
    PID:2976
- - C:\Windows\cursors\lsass.exe
    C:\Windows\cursors\lsass.exe
    3⤵
    PID:5620
- - C:\Windows\Microsoft.NET\Framework\system.exe
    C:\Windows\Microsoft.NET\Framework\system.exe
    3⤵
    PID:2632
- C:\Windows\SysWOW64\config\system.exe
  C:\Windows\System32\config\system.exe
  2⤵
  - Drops file in System32 directory
  PID:1556
- - C:\Windows\Web\explorer.exe
    C:\Windows\Web\explorer.exe
    3⤵
    PID:1332
- - C:\Windows\Microsoft.NET\Framework\system.exe
    C:\Windows\Microsoft.NET\Framework\system.exe
    3⤵
    PID:5324
- - C:\Users\Admin\AppData\Local\csrss.exe
    C:\Users\Admin\AppData\Local\csrss.exe
    3⤵
    PID:5988
- - C:\Windows\cursors\lsass.exe
    C:\Windows\cursors\lsass.exe
    3⤵
    PID:6060
- C:\Windows\System32\drivers\etc\explorer.exe
  C:\Windows\System32\drivers\etc\explorer.exe
  2⤵
  PID:5852

C:\Windows\System32\drivers\etc\stsystm.exe
C:\Windows\System32\drivers\etc\stsystm.exe
1⤵
PID:5672

C:\Windows\System32\drivers\etc\stsystm.exe
C:\Windows\System32\drivers\etc\stsystm.exe
1⤵
PID:3488

C:\Windows\System32\drivers\etc\stsystm.exe
C:\Windows\System32\drivers\etc\stsystm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5500

C:\Windows\System32\drivers\etc\stsystm.exe
C:\Windows\System32\drivers\etc\stsystm.exe
1⤵
PID:5256

C:\Windows\Fonts\explorer.exe
C:\Windows\Fonts\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Windows\System32\drivers\etc\stsystm.exe
C:\Windows\System32\drivers\etc\stsystm.exe
1⤵
PID:412

C:\Windows\System32\drivers\etc\stsystm.exe
C:\Windows\System32\drivers\etc\stsystm.exe
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4208

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Kilabot.log

Filesize
1KB

MD5
527c8e9f1dc55effbe0a5c62494b5826

SHA1
9f663b03eaf3e1c377520564322599c564bdab3e

SHA256
209a76fad6beb5d3320e0a4b9452b2c12ffb76592bc70e9ebbec659c12ea9e77

SHA512
a87462c566a52eeaf7c0c98deca154262fffd16a5380a460fc43b629c1ed9ef275d9e0d5f7b3a01a724d5e61977f8d2933f8fff6560dbb709465083cd5a2f3f9

Download Submit
C:\Windows\SysWOW64\config\kitty.exe

Filesize
64KB

MD5
c3040de922a93b2d683f27423de26b9f

SHA1
3b4c0c6d388de68bc1ee49657e7ccd04e367e68e

SHA256
481dfa28b43d92cb4c7decaf5fa5468ae96b1bcff173b4bce19ae92089d2bf1d

SHA512
1bfc7e6b0b44f2bd44693fa37805feb75e99b40bbe234f5dae13a25eb325d0807266a11490df5175cb18b3afa3758a2111bf8c334a80a9298b40fe73a4a09a8a

Download Submit
C:\Windows\SysWOW64\klab0t32.ocx

Filesize
9B

MD5
9e9742780f7eac6d10ff0eb4d1817896

SHA1
51497c2b4bacafcdc7383f6957f1d6be6a4e2dae

SHA256
d97303da840d2dfce966eb7173b43129d00f7566652dc61f45ab9c77dbfb5608

SHA512
1342a71d99d583399662fd57057d3b53589035620fd6585a3f242bc53efe70be9a8a856bebcd7d207934ac508e8885d15ad28dba54ddd0cd040fbc8bb13b68af

Download Submit
C:\Windows\SysWOW64\restore\sysconfig.exe

Filesize
106KB

MD5
3963266117746beab6dd5b66696a135a

SHA1
45e4b3614f5a3b50af94a7951cc820720c57db9f

SHA256
420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25

SHA512
8f11f6c228a3ec6b578fe43405b0e5427cd051642081b91241e5444e3a3b34ee597ff96daf70a20766c56900dffa10e90281cad5f439b6853e5f51fd5977f761

Download Submit
F:\Autorun.inf

Filesize
232B

MD5
7e63168cbad085e6a622185341172eec

SHA1
da57dd0e3dc0f4d95a155abff78a10cc97cef27d

SHA256
90556f6f078cb5838d64260161a24b647c92c8ba6eace5e337c8f0bbc832a8be

SHA512
b88a97c00353e8d0b6c436d149bdef0f66ec6dd98b830aa10615ecc7c69dc8d8e81cfa120c745eb0ed708450178ca55eba180e0e595e37afbbafff8d38ffb00d

Download Submit
memory/320-430-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/440-621-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/440-458-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/496-424-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/568-545-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/652-296-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/652-460-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/784-635-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1220-407-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1220-303-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1220-574-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1336-233-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1572-147-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1572-277-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1804-400-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1808-399-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1956-707-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2012-224-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2052-469-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2096-461-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2132-549-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2236-682-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2624-305-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2632-627-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2900-546-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2908-569-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2916-636-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2916-472-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2920-641-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2948-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2948-103-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2972-689-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2976-683-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3244-571-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3252-459-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3388-265-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3436-251-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3488-467-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3500-418-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3568-288-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3600-705-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3772-573-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3884-245-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3896-322-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3896-534-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4036-572-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4204-247-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4208-551-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4344-482-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4468-492-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4528-601-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4584-622-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4684-666-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5032-238-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5032-69-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5148-405-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5176-487-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5176-333-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5204-444-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5256-434-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5256-264-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5260-699-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5292-602-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5304-457-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5308-464-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5308-275-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5336-368-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5336-272-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5344-273-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5344-690-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5344-506-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5352-688-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5368-433-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5380-429-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5392-586-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5436-436-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5444-293-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5476-579-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5484-299-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5500-491-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5504-604-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5512-587-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5512-386-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5524-649-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5524-468-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5528-477-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5544-376-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5552-310-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5552-687-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5572-633-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5660-316-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5672-335-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5724-328-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5760-412-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5784-662-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5812-505-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5816-623-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5816-419-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5824-508-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5832-336-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5836-509-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5840-478-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5880-371-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5892-499-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5932-510-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5952-629-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5956-391-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6004-435-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6012-513-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6024-588-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6040-402-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6048-406-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6056-526-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6108-677-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/6120-515-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads