Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 14:13
Behavioral task
behavioral1
Sample
3963266117746beab6dd5b66696a135a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3963266117746beab6dd5b66696a135a.exe
Resource
win10v2004-20231215-en
General
-
Target
3963266117746beab6dd5b66696a135a.exe
-
Size
106KB
-
MD5
3963266117746beab6dd5b66696a135a
-
SHA1
45e4b3614f5a3b50af94a7951cc820720c57db9f
-
SHA256
420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25
-
SHA512
8f11f6c228a3ec6b578fe43405b0e5427cd051642081b91241e5444e3a3b34ee597ff96daf70a20766c56900dffa10e90281cad5f439b6853e5f51fd5977f761
-
SSDEEP
1536:7+qolpTirGvR5knwm8Uq9Q0a7KIV0XelWHlsdGHXFA2T259FTOrSqCYJKEO3n:qq6irEqnwh9Ha3CeMHWGXbuLYJKP3n
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "Userinit.exe, C:\\Windows\\System32\\drivers\\etc\\stsystm.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\Fonts\\explorer.exe" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" REG.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" nvsvc32.exe -
Drops file in Drivers directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\explore.exe csrss.exe File created C:\Windows\System32\drivers\etc\explore.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\explorer.exe explore.exe File opened for modification C:\Windows\System32\drivers\etc\winlogon.exe explore.exe File created C:\Windows\System32\drivers\etc\winlogon.exe explore.exe File opened for modification C:\Windows\System32\drivers\etc\stsystm.exe smss.exe File opened for modification C:\Windows\System32\drivers\etc\explorer.exe 3963266117746beab6dd5b66696a135a.exe File created C:\Windows\SysWOW64\drivers\explorer.exe explore.exe File opened for modification C:\Windows\System32\drivers\etc\smss.exe kitty.exe File created C:\Windows\System32\drivers\etc\smss.exe kitty.exe File created C:\Windows\System32\drivers\etc\stsystm.exe smss.exe File created C:\Windows\System32\drivers\etc\explorer.exe 3963266117746beab6dd5b66696a135a.exe -
Sets file execution options in registry 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "regedt32.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgs.exe\debugger = "C:\\Windows\\System32\\drivers\\etc\\stsystm.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\debugger = "C:\\Windows\\Web\\explorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "rstrui.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "regedit.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\System32\\drivers\\etc\\stsystm.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\debugger = "C:\\Windows\\Fonts\\explorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\debugger = "C:\\Windows\\Fonts\\explorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "mspaint.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "taskmgr.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\Microsoft.NET\\Framework\\system.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "C:\\Windows\\cursors\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "msconfig.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\debugger = "C:\\Windows\\Fonts\\explorer.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "calc.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "wscript.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgs.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options = "msmsgs.exe" lsass.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe lsass.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe lsass.exe -
Executes dropped EXE 64 IoCs
pid Process 2012 csrss.exe 1336 explore.exe 5032 winlogon.exe 3884 svchost.exe 3436 lsass.exe 3388 kitty.exe 1572 winlogon.exe 3568 smss.exe 652 lsass.exe 1220 csrss.exe 2624 stsystm.exe 4204 REG.exe 3896 explorer.exe 5176 system.exe 5256 system.exe 5336 explorer.exe 5344 lsass.exe 5308 Conhost.exe 5444 explorer.exe 5484 lsass.exe 5512 lsass.exe 5544 system.exe 5552 REG.exe 5660 csrss.exe 5672 lsass.exe 5724 explorer.exe 5760 csrss.exe 5816 stsystm.exe 5832 explorer.exe 5880 csrss.exe 5956 explorer.exe 6004 stsystm.exe 6040 system.exe 1804 stsystm.exe 5148 explorer.exe 6048 lsass.exe 5204 explorer.exe 1808 nvsvc32.exe 3500 system.exe 5380 stsystm.exe 320 explorer.exe 496 lsass.exe 5256 system.exe 5368 explorer.exe 5436 explorer.exe 4468 system.exe 4344 explorer.exe 5304 lsass.exe 3252 explorer.exe 2096 explorer.exe 5308 Conhost.exe 440 csrss.exe 2916 csrss.exe 2052 REG.exe 5524 system.exe 3488 stsystm.exe 5528 csrss.exe 5500 stsystm.exe 5840 stsystm.exe 5892 explorer.exe 5932 Conhost.exe 5824 REG.exe 5812 stsystm.exe 6120 csrss.exe -
resource yara_rule behavioral2/memory/2948-0-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/files/0x000b00000002301c-9.dat upx behavioral2/memory/5032-69-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/2948-103-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/files/0x0006000000023138-120.dat upx behavioral2/memory/1572-147-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/2012-224-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/1336-233-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5032-238-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3884-245-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/4204-247-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3436-251-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3388-265-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5308-275-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5344-273-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/1572-277-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5444-293-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3568-288-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5484-299-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5660-316-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5552-310-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/1220-303-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/2624-305-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/652-296-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5336-272-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3896-322-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5256-264-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5724-328-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5832-336-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5880-371-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5512-386-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5544-376-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5336-368-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5672-335-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5176-333-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5956-391-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/1808-399-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/1804-400-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/6040-402-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/6048-406-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5148-405-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/1220-407-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3500-418-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5816-419-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/320-430-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5256-434-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5368-433-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5380-429-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/496-424-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5436-436-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/6004-435-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5204-444-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5304-457-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5760-412-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3252-459-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/652-460-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/440-458-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5308-464-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/2096-461-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/2916-472-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/3488-467-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/2052-469-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5524-468-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral2/memory/5840-478-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\stsystm = "C:\\Windows\\Web\\explorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce = "C:\\Windows\\Microsoft.NET\\Framework\\system.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stsystm = "C:\\Users\\Admin\\AppData\\Local\\csrss.exe" lsass.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\Autorun.inf lsass.exe File opened for modification C:\Autorun.inf lsass.exe File created F:\Autorun.inf lsass.exe File opened for modification F:\Autorun.inf lsass.exe -
Drops file in System32 directory 44 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explorer.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx winlogon.exe File created C:\Windows\SysWOW64\config\kitty.exe lsass.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx stsystm.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explorer.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explorer.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx system.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx system.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx nvsvc32.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explorer.exe File opened for modification C:\Windows\SysWOW64\Restore\sysconfig.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx winlogon.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx system.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explorer.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx smss.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx system.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explorer.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explorer.exe File created C:\Windows\SysWOW64\klab0t32.ocx 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\SysWOW64\config\system.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx kitty.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx smss.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx lsass.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx lsass.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx system.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx explore.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx lsass.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx stsystm.exe File opened for modification C:\Windows\SysWOW64\config\kitty.exe lsass.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx system.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx lsass.exe File created C:\Windows\SysWOW64\Restore\sysconfig.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx lsass.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx winDLL.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx lsass.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx lsass.exe File created C:\Windows\SysWOW64\config\system.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx stsystm.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx svchost.exe File opened for modification C:\Windows\SysWOW64\klab0t32.ocx system.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\config\smss.exe explore.exe File opened for modification C:\Windows\Help\svchost.exe winlogon.exe File opened for modification C:\Windows\Prefetch\explorer.exe kitty.exe File created C:\Windows\Web\explorer.exe winlogon.exe File opened for modification C:\Windows\Prefetch\taskmgr.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\Java\invader.exe csrss.exe File opened for modification C:\Windows\Prefetch\system.exe csrss.exe File created C:\Windows\config\svchost.exe csrss.exe File created C:\Windows\Help\svchost.exe svchost.exe File created C:\Windows\Prefetch\taskmgr.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\msagent\Utilman.exe winlogon.exe File created C:\Windows\msagent\lsass.exe svchost.exe File created C:\Windows\Prefetch\lsass.exe svchost.exe File opened for modification C:\Windows\Web\regidt32.exe kitty.exe File created C:\Windows\Prefetch\system.exe csrss.exe File opened for modification C:\Windows\config\winlogon.exe winlogon.exe File opened for modification C:\Windows\system\nvsvc32.exe kitty.exe File created C:\Windows\Fonts\winDLL.exe winlogon.exe File opened for modification C:\Windows\Web\csrss.exe 3963266117746beab6dd5b66696a135a.exe File created C:\Windows\Web\csrss.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\config\svchost.exe csrss.exe File created C:\Windows\Help\svchost.exe winlogon.exe File opened for modification C:\Windows\inf\system.exe svchost.exe File created C:\Windows\system\nvsvc32.exe kitty.exe File opened for modification C:\Windows\Fonts\services.exe winlogon.exe File created C:\Windows\cursors\lsass.exe smss.exe File created C:\Windows\msagent\csrss.exe csrss.exe File created C:\Windows\msagent\Utilman.exe winlogon.exe File created C:\Windows\config\svchost.exe lsass.exe File opened for modification C:\Windows\Web\explorer.exe smss.exe File opened for modification C:\Windows\cursors\lsass.exe smss.exe File created C:\Windows\msagent\csrss.exe 3963266117746beab6dd5b66696a135a.exe File opened for modification C:\Windows\msagent\lsass.exe svchost.exe File created C:\Windows\inf\system.exe svchost.exe File created C:\Windows\cursors\svchost.exe lsass.exe File opened for modification C:\Windows\msagent\csrss.exe lsass.exe File opened for modification C:\Windows\inf\Executioner.exe winlogon.exe File opened for modification C:\Windows\msagent\csrss.exe 3963266117746beab6dd5b66696a135a.exe File created C:\Windows\Prefetch\Templates.exe explore.exe File created C:\Windows\system\svchost.exe winlogon.exe File opened for modification C:\Windows\msagent\services.exe winlogon.exe File opened for modification C:\Windows\Fonts\winDLL.exe winlogon.exe File created C:\Windows\Fonts\services.exe winlogon.exe File opened for modification C:\Windows\Help\explorer.exe svchost.exe File created C:\Windows\Prefetch\explorer.exe kitty.exe File opened for modification C:\Windows\Microsoft.NET\Framework\system.exe smss.exe File created C:\Windows\Java\invader.exe csrss.exe File created C:\Windows\config\services.exe explore.exe File opened for modification C:\Windows\Prefetch\lsass.exe svchost.exe File opened for modification C:\Windows\Web\explorer.exe winlogon.exe File created C:\Windows\Help\csrss.exe csrss.exe File opened for modification C:\Windows\config\smss.exe explore.exe File opened for modification C:\Windows\Prefetch\Templates.exe explore.exe File opened for modification C:\Windows\system\services.exe winlogon.exe File created C:\Windows\msagent\services.exe winlogon.exe File created C:\Windows\config\System.exe svchost.exe File created C:\Windows\msagent\csrss.exe lsass.exe File created C:\Windows\Web\regidt32.exe kitty.exe File created C:\Windows\msagent\smss.exe winlogon.exe File opened for modification C:\Windows\cursors\csrss.exe winlogon.exe File created C:\Windows\Help\explorer.exe svchost.exe File opened for modification C:\Windows\cursors\svchost.exe lsass.exe File opened for modification C:\Windows\msagent\csrss.exe kitty.exe File created C:\Windows\inf\Executioner.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Mandirigma - Tear[A]Door /DoomRiderz" lsass.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2320 REG.exe 5944 REG.exe 4328 REG.exe 2244 REG.exe 5168 REG.exe 5732 REG.exe 5836 REG.exe 5608 REG.exe 4692 REG.exe 3908 REG.exe 6024 REG.exe 4484 REG.exe 3732 REG.exe 912 REG.exe 556 REG.exe 6140 REG.exe 3672 REG.exe 552 REG.exe 1808 REG.exe 3932 REG.exe 4684 REG.exe 5824 REG.exe 2052 REG.exe 728 REG.exe 3116 REG.exe 5260 REG.exe 3672 REG.exe 3468 REG.exe 2648 REG.exe 1564 REG.exe 4044 REG.exe 2648 REG.exe 5552 REG.exe 5420 REG.exe 2224 REG.exe 5612 REG.exe 4696 REG.exe 4660 REG.exe 5824 REG.exe 1832 REG.exe 4204 REG.exe 3320 REG.exe 4692 REG.exe 2304 REG.exe 6056 REG.exe 568 REG.exe 1360 REG.exe 6072 REG.exe 5380 REG.exe 5380 REG.exe 5652 REG.exe 1568 REG.exe 3664 REG.exe 208 REG.exe 4468 REG.exe 5400 REG.exe 4568 REG.exe 5536 REG.exe 1592 REG.exe 2724 REG.exe 1480 REG.exe 4520 REG.exe 4832 REG.exe 5732 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 5336 explorer.exe 652 lsass.exe 3896 explorer.exe 5544 system.exe 5760 csrss.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 3540 rundll32.exe 3952 rundll32.exe 1444 rundll32.exe 3812 rundll32.exe 3312 rundll32.exe 492 rundll32.exe 3824 rundll32.exe 1552 rundll32.exe 1476 rundll32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2948 3963266117746beab6dd5b66696a135a.exe 2012 csrss.exe 1336 explore.exe 5032 winlogon.exe 3884 svchost.exe 3436 lsass.exe 3388 kitty.exe 1572 winlogon.exe 3568 smss.exe 652 lsass.exe 1220 csrss.exe 2624 stsystm.exe 4204 REG.exe 3896 explorer.exe 5176 system.exe 5256 system.exe 5344 lsass.exe 5308 Conhost.exe 5336 explorer.exe 5444 explorer.exe 5512 lsass.exe 5484 lsass.exe 5544 system.exe 5552 REG.exe 5660 csrss.exe 5724 explorer.exe 5760 csrss.exe 5672 lsass.exe 5832 explorer.exe 5880 csrss.exe 5816 stsystm.exe 5956 explorer.exe 1808 nvsvc32.exe 1804 stsystm.exe 6004 stsystm.exe 5204 explorer.exe 6040 system.exe 6048 lsass.exe 5148 explorer.exe 3500 system.exe 5380 stsystm.exe 496 lsass.exe 320 explorer.exe 5256 system.exe 5368 explorer.exe 5436 explorer.exe 4468 system.exe 4344 explorer.exe 5304 lsass.exe 440 csrss.exe 3252 explorer.exe 2096 explorer.exe 2052 REG.exe 3488 stsystm.exe 5308 Conhost.exe 2916 csrss.exe 5524 system.exe 5528 csrss.exe 5840 stsystm.exe 5500 stsystm.exe 5892 explorer.exe 5812 stsystm.exe 5824 REG.exe 5932 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3540 2948 3963266117746beab6dd5b66696a135a.exe 91 PID 2948 wrote to memory of 3540 2948 3963266117746beab6dd5b66696a135a.exe 91 PID 2948 wrote to memory of 3540 2948 3963266117746beab6dd5b66696a135a.exe 91 PID 2948 wrote to memory of 2012 2948 3963266117746beab6dd5b66696a135a.exe 92 PID 2948 wrote to memory of 2012 2948 3963266117746beab6dd5b66696a135a.exe 92 PID 2948 wrote to memory of 2012 2948 3963266117746beab6dd5b66696a135a.exe 92 PID 2012 wrote to memory of 3952 2012 csrss.exe 93 PID 2012 wrote to memory of 3952 2012 csrss.exe 93 PID 2012 wrote to memory of 3952 2012 csrss.exe 93 PID 2012 wrote to memory of 1336 2012 csrss.exe 94 PID 2012 wrote to memory of 1336 2012 csrss.exe 94 PID 2012 wrote to memory of 1336 2012 csrss.exe 94 PID 1336 wrote to memory of 1444 1336 explore.exe 95 PID 1336 wrote to memory of 1444 1336 explore.exe 95 PID 1336 wrote to memory of 1444 1336 explore.exe 95 PID 1336 wrote to memory of 5032 1336 explore.exe 96 PID 1336 wrote to memory of 5032 1336 explore.exe 96 PID 1336 wrote to memory of 5032 1336 explore.exe 96 PID 5032 wrote to memory of 3812 5032 winlogon.exe 97 PID 5032 wrote to memory of 3812 5032 winlogon.exe 97 PID 5032 wrote to memory of 3812 5032 winlogon.exe 97 PID 5032 wrote to memory of 3884 5032 winlogon.exe 98 PID 5032 wrote to memory of 3884 5032 winlogon.exe 98 PID 5032 wrote to memory of 3884 5032 winlogon.exe 98 PID 3884 wrote to memory of 3312 3884 svchost.exe 99 PID 3884 wrote to memory of 3312 3884 svchost.exe 99 PID 3884 wrote to memory of 3312 3884 svchost.exe 99 PID 3884 wrote to memory of 3436 3884 svchost.exe 100 PID 3884 wrote to memory of 3436 3884 svchost.exe 100 PID 3884 wrote to memory of 3436 3884 svchost.exe 100 PID 3436 wrote to memory of 492 3436 lsass.exe 101 PID 3436 wrote to memory of 492 3436 lsass.exe 101 PID 3436 wrote to memory of 492 3436 lsass.exe 101 PID 3436 wrote to memory of 3388 3436 lsass.exe 102 PID 3436 wrote to memory of 3388 3436 lsass.exe 102 PID 3436 wrote to memory of 3388 3436 lsass.exe 102 PID 3388 wrote to memory of 3824 3388 kitty.exe 103 PID 3388 wrote to memory of 3824 3388 kitty.exe 103 PID 3388 wrote to memory of 3824 3388 kitty.exe 103 PID 3388 wrote to memory of 1572 3388 kitty.exe 104 PID 3388 wrote to memory of 1572 3388 kitty.exe 104 PID 3388 wrote to memory of 1572 3388 kitty.exe 104 PID 1572 wrote to memory of 1552 1572 winlogon.exe 105 PID 1572 wrote to memory of 1552 1572 winlogon.exe 105 PID 1572 wrote to memory of 1552 1572 winlogon.exe 105 PID 1572 wrote to memory of 3568 1572 winlogon.exe 491 PID 1572 wrote to memory of 3568 1572 winlogon.exe 491 PID 1572 wrote to memory of 3568 1572 winlogon.exe 491 PID 3568 wrote to memory of 1476 3568 smss.exe 107 PID 3568 wrote to memory of 1476 3568 smss.exe 107 PID 3568 wrote to memory of 1476 3568 smss.exe 107 PID 3568 wrote to memory of 652 3568 smss.exe 108 PID 3568 wrote to memory of 652 3568 smss.exe 108 PID 3568 wrote to memory of 652 3568 smss.exe 108 PID 652 wrote to memory of 2648 652 lsass.exe 543 PID 652 wrote to memory of 2648 652 lsass.exe 543 PID 652 wrote to memory of 2648 652 lsass.exe 543 PID 652 wrote to memory of 1808 652 lsass.exe 256 PID 652 wrote to memory of 1808 652 lsass.exe 256 PID 652 wrote to memory of 1808 652 lsass.exe 256 PID 652 wrote to memory of 568 652 lsass.exe 370 PID 652 wrote to memory of 568 652 lsass.exe 370 PID 652 wrote to memory of 568 652 lsass.exe 370 PID 652 wrote to memory of 3664 652 lsass.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\3963266117746beab6dd5b66696a135a.exe"C:\Users\Admin\AppData\Local\Temp\3963266117746beab6dd5b66696a135a.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen2⤵
- Suspicious use of FindShellTrayWindow
PID:3540
-
-
C:\Windows\Web\csrss.exeC:\Windows\Web\csrss.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen3⤵
- Suspicious use of FindShellTrayWindow
PID:3952
-
-
C:\Windows\System32\drivers\etc\explore.exeC:\Windows\System32\drivers\etc\explore.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen4⤵
- Suspicious use of FindShellTrayWindow
PID:1444
-
-
C:\Windows\System32\drivers\etc\winlogon.exeC:\Windows\System32\drivers\etc\winlogon.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen5⤵
- Suspicious use of FindShellTrayWindow
PID:3812
-
-
C:\Windows\Help\svchost.exeC:\Windows\Help\svchost.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen6⤵
- Suspicious use of FindShellTrayWindow
PID:3312
-
-
C:\Windows\Prefetch\lsass.exeC:\Windows\Prefetch\lsass.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen7⤵
- Suspicious use of FindShellTrayWindow
PID:492
-
-
C:\Windows\SysWOW64\config\kitty.exeC:\Windows\System32\config\kitty.exe7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen8⤵
- Suspicious use of FindShellTrayWindow
PID:3824
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen9⤵
- Suspicious use of FindShellTrayWindow
PID:1552
-
-
C:\Windows\Fonts\services.exeC:\Windows\Fonts\services.exe9⤵PID:3568
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\WINDOWS\SYSTEM32\SHIMGVW.DLL,ImageView_Fullscreen10⤵
- Suspicious use of FindShellTrayWindow
PID:1476
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe10⤵
- Modifies WinLogon for persistence
- Sets file execution options in registry
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:2648 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5932
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:1808
-
-
C:\Windows\SysWOW64\REG.exeREG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:568
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:2320
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:3664
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4696
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f11⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4660
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:1360
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f11⤵
- Modifies registry key
PID:3932 -
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe12⤵PID:4608
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe12⤵PID:5556
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe12⤵PID:5552
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe12⤵PID:5612
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:728
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4520
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:208
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5148
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5524
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5256
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5836
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:4208
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:6104
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1884
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:4528
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5904
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:2236
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5508
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:4984
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5216
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:6072
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5380
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f11⤵
- Modifies registry key
PID:556
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5608
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:3116
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5260
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f11⤵
- Executes dropped EXE
- Modifies registry key
- Suspicious use of SetWindowsHookEx
PID:4204
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5168
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4692
-
-
C:\Windows\SysWOW64\REG.exeREG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4468
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4684
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f11⤵PID:5540
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5820
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4664
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5364
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:6024
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5024
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:3128
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:2492
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5612
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5580
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:3808
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:3672
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f11⤵PID:5532
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:4996
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5380
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5732
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5824 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:2900
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f11⤵PID:4724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:1332
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f11⤵PID:3936
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:3672
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:2648
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5944
-
-
C:\Windows\SysWOW64\REG.exeREG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:3320
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:3908
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:6024
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:4608
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:1628
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5320
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5740
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5160
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:6004
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5832
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5472
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5960
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:6056
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5252
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5652
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:2304
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:4068
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f11⤵PID:5408
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5536
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f11⤵PID:5252
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:6140
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:3468
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4484
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f11⤵
- Executes dropped EXE
- Modifies registry key
- Suspicious use of SetWindowsHookEx
PID:5552
-
-
C:\Windows\SysWOW64\REG.exeREG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:1564
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:6056
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5400 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:5572
-
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5756
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4284
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:1336
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:4424
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5672
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5816
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1508
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4496
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5008
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5476
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5512
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5420 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:5008
-
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:4344
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:1592
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4832
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f11⤵
- Modifies registry key
PID:3672
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4328
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5836
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:3732
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:912
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:2724
-
-
C:\Windows\SysWOW64\REG.exeREG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:2224
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f11⤵
- Executes dropped EXE
- Modifies registry key
- Suspicious use of SetWindowsHookEx
PID:5824
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5732
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5724
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:1816
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:2276
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5244
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5852
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5280
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:2968
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:636
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:4008
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5608
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵
- Drops file in System32 directory
PID:5868
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFind /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4044
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5380
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f11⤵
- Executes dropped EXE
- Modifies registry key
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v SuperHidden /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:2244
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f11⤵
- Modifies registry key
PID:4692
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoTrayContextMenu /t REG_DWORD /d 1 /f11⤵PID:916
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSetFolders /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:1480
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f11⤵PID:4856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5308
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRecentDocsMenu /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:1568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:5388
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:5612 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:5260
-
-
-
C:\Windows\SysWOW64\REG.exeREG add HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableSR /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:552
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCMD /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:4568
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f11⤵
- Modifies registry key
PID:1832
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1188
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4484
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
PID:3932
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:568
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:4996
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:3236
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5232
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5332
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:4496
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:4984
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:2568
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:6120
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:948
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:1648
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5684
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5624
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:2796
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:3792
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5812
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4720
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5528
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:1956
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5412
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:6012
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5248
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:644
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5632
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:3356
-
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2624
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3896 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:440
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5812
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:2132
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5388
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:2236
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5504
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5332
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5908
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5848
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵
- Drops file in System32 directory
PID:5372
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5740
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:568
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5840
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5556
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5008
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5688
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:440
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:6048
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5440
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:6124
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:3432
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:6028
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5008
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5252
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5716
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:4164
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4212
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:1576
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5520
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:1944
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:3128
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4696
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5256
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:3740
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:2444
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:3672
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:3932
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5204
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:2596
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:4880
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:3732
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5476
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1956
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:2380
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:4956
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:4964
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:6000
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:2960
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1804
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:1044
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:3216
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:6104
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:3148
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:1592
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:2328
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:1080
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5684
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:1556
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:3180
-
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5336 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:440
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5784
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:6064
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5464
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5304
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:3440
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:3208
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:3792
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5396
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:2920
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5308
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5920
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:3916
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5296
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5652
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:2012
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5476
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5368
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵
- Drops file in System32 directory
PID:5920
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:1648
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5688
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5792
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:3768
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:216
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5248
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:1120
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:4184
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:6108
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:2976
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5248
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:2632
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:496
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:4584
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1544
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5060
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:3708
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5852
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:3560
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:312
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:4944
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:3124
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:4988
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:1828
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:2276
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:1752
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:876
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:4724
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5768
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5588
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:4892
-
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5544 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:1220
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:2972
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5276
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5324
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5716
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:4584
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:3488
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:6104
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:568
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:1132
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:6108
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5472
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5112
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1380
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5160
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:3020
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:3392
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5532
-
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5760 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:2004
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5588
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5148
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:4336
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5384
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:1944
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:5576
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5664
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5116
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5996
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:1204
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:544
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5388
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5308
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:4036
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵
- Executes dropped EXE
PID:6120
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:4872
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:4724
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5944
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:6128
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5528
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5412
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:4328
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:4984
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:2972
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:5632
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5416
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:1648
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:2492
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5248
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4344
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:6068
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:1836
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5716
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:956
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:1220
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:2012
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:1656
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:3220
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:4164
-
-
-
C:\Windows\inf\Executioner.exeC:\Windows\inf\Executioner.exe10⤵PID:6004
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe11⤵PID:320
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:5308
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:5932
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:6024
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:5260
-
-
-
C:\Windows\Fonts\winDLL.exeC:\Windows\Fonts\winDLL.exe10⤵PID:6108
-
-
C:\Windows\cursors\csrss.exeC:\Windows\cursors\csrss.exe10⤵PID:5920
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe11⤵PID:920
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe11⤵PID:1092
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe11⤵PID:3892
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe11⤵PID:5580
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe11⤵PID:1380
-
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe10⤵PID:680
-
-
C:\Windows\Fonts\services.exeC:\Windows\Fonts\services.exe10⤵PID:4400
-
-
-
C:\Windows\inf\Executioner.exeC:\Windows\inf\Executioner.exe9⤵PID:5528
-
-
C:\Windows\Fonts\winDLL.exeC:\Windows\Fonts\winDLL.exe9⤵
- Drops file in System32 directory
PID:5928 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe10⤵PID:3772
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe10⤵PID:3600
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe10⤵PID:4692
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe10⤵PID:6140
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe10⤵PID:1464
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe10⤵PID:2920
-
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe9⤵PID:5916
-
-
C:\Windows\cursors\csrss.exeC:\Windows\cursors\csrss.exe9⤵PID:6116
-
-
C:\Windows\Web\regidt32.exeC:\Windows\Web\regidt32.exe9⤵PID:5868
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe10⤵PID:4608
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe10⤵PID:5320
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe10⤵PID:1836
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5176
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe10⤵PID:6128
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe10⤵PID:496
-
-
-
C:\Windows\system\nvsvc32.exeC:\Windows\system\nvsvc32.exe9⤵PID:2244
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe10⤵PID:2844
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe10⤵PID:6092
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe10⤵PID:3392
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe10⤵PID:3160
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe10⤵PID:4724
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5484
-
-
-
C:\Windows\Prefetch\explorer.exeC:\Windows\Prefetch\explorer.exe9⤵PID:2388
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe10⤵PID:5252
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe10⤵PID:3452
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe10⤵PID:5188
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe10⤵PID:6024
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe10⤵PID:216
-
-
-
C:\Windows\System32\drivers\etc\smss.exeC:\Windows\System32\drivers\etc\smss.exe9⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe10⤵PID:4964
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe10⤵PID:5364
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe10⤵PID:4996
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe10⤵PID:1296
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe10⤵PID:5132
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe10⤵PID:3708
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\winlogon.exe"9⤵PID:6072
-
-
-
C:\Windows\Web\regidt32.exeC:\Windows\Web\regidt32.exe8⤵PID:4344
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe9⤵PID:6056
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe9⤵PID:5392
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe9⤵PID:1956
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe9⤵PID:5528
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5524
-
-
-
C:\Windows\system\nvsvc32.exeC:\Windows\system\nvsvc32.exe8⤵
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe9⤵PID:4036
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe9⤵PID:3148
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe9⤵PID:2972
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe9⤵PID:5584
-
-
-
C:\Windows\Prefetch\explorer.exeC:\Windows\Prefetch\explorer.exe8⤵PID:3532
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe9⤵PID:5932
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe9⤵PID:6088
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe9⤵PID:5528
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe9⤵PID:3936
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe9⤵PID:2968
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe9⤵PID:6124
-
-
-
C:\Windows\System32\drivers\etc\smss.exeC:\Windows\System32\drivers\etc\smss.exe8⤵PID:4048
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe9⤵PID:2824
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe9⤵PID:3320
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe9⤵PID:5716
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe9⤵PID:5480
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe9⤵PID:5128
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe9⤵PID:728
-
-
-
C:\Windows\SysWOW64\config\kitty.exeC:\Windows\System32\config\kitty.exe8⤵PID:5904
-
-
C:\Windows\cursors\svchost.exeC:\Windows\cursors\svchost.exe8⤵PID:5416
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe9⤵PID:2844
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe9⤵PID:5140
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe9⤵PID:828
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe9⤵PID:5876
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe9⤵PID:1464
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe9⤵PID:5752
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe"8⤵PID:5512
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe9⤵PID:3216
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe9⤵PID:3432
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe9⤵PID:4948
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe9⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe9⤵PID:5820
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe9⤵PID:6052
-
-
-
-
C:\Windows\cursors\svchost.exeC:\Windows\cursors\svchost.exe7⤵PID:5204
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe8⤵PID:496
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5892
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3252
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe8⤵PID:568
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe8⤵PID:5344
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe8⤵PID:5572
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe"7⤵
- Drops file in System32 directory
PID:6012 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe8⤵PID:5564
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe8⤵PID:2492
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe8⤵PID:5136
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe8⤵PID:680
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe8⤵PID:3488
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe8⤵PID:432
-
-
-
C:\Windows\Help\explorer.exeC:\Windows\Help\explorer.exe7⤵
- Drops file in System32 directory
PID:5680 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe8⤵PID:1844
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe8⤵PID:5496
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe8⤵PID:2328
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe8⤵
- Drops file in System32 directory
PID:4824
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe8⤵PID:5996
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe8⤵PID:6140
-
-
-
C:\Windows\inf\system.exeC:\Windows\inf\system.exe7⤵PID:816
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe8⤵PID:1576
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe8⤵PID:6124
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe8⤵PID:1296
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe8⤵PID:3432
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe8⤵PID:5896
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe8⤵PID:4696
-
-
-
C:\Windows\Help\svchost.exeC:\Windows\Help\svchost.exe7⤵PID:5116
-
-
C:\Windows\Prefetch\lsass.exeC:\Windows\Prefetch\lsass.exe7⤵PID:4068
-
-
-
C:\Windows\Help\explorer.exeC:\Windows\Help\explorer.exe6⤵PID:5816
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe7⤵PID:5380
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe7⤵PID:5824
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe7⤵PID:2900
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe7⤵PID:5292
-
-
-
C:\Windows\inf\system.exeC:\Windows\inf\system.exe6⤵PID:5672
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe7⤵PID:5724
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe7⤵PID:5848
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe7⤵PID:5608
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe7⤵PID:5944
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe7⤵PID:2940
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe7⤵PID:1464
-
-
-
C:\Windows\Help\svchost.exeC:\Windows\Help\svchost.exe6⤵PID:5952
-
-
C:\Windows\system\svchost.exeC:\Windows\system\svchost.exe6⤵PID:5136
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe7⤵PID:2908
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe7⤵PID:5520
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe7⤵PID:5480
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5660
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe7⤵PID:5464
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe7⤵PID:3672
-
-
-
C:\Windows\system\services.exeC:\Windows\system\services.exe6⤵PID:5636
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5812
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe7⤵PID:5348
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe7⤵PID:3396
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe7⤵PID:2960
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe7⤵PID:4208
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5344
-
-
-
C:\Windows\Help\svchost.exeC:\Windows\Help\svchost.exe6⤵PID:5624
-
-
-
C:\Windows\system\svchost.exeC:\Windows\system\svchost.exe5⤵PID:5512
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe6⤵PID:6048
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe6⤵PID:2916
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe6⤵PID:5368
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe6⤵PID:6120
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe6⤵PID:2908
-
-
-
C:\Windows\system\services.exeC:\Windows\system\services.exe5⤵PID:3932
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe6⤵PID:5728
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe6⤵PID:5380
-
-
-
C:\Windows\Prefetch\Templates.exeC:\Windows\Prefetch\Templates.exe5⤵PID:6048
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe6⤵PID:5388
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe6⤵PID:5996
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe6⤵PID:496
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe6⤵PID:5420
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe6⤵PID:5688
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe6⤵PID:5484
-
-
-
C:\Windows\Prefetch\system.exeC:\Windows\Prefetch\system.exe5⤵PID:3492
-
-
C:\Windows\SysWOW64\drivers\explorer.exeC:\Windows\System32\drivers\explorer.exe5⤵PID:5248
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe6⤵PID:3440
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe6⤵PID:208
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe6⤵PID:5948
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe6⤵PID:3068
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe6⤵PID:2052
-
-
-
C:\Windows\System32\drivers\etc\winlogon.exeC:\Windows\System32\drivers\etc\winlogon.exe5⤵PID:3220
-
-
-
C:\Windows\Prefetch\Templates.exeC:\Windows\Prefetch\Templates.exe4⤵PID:5344
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe5⤵PID:5484
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe5⤵PID:5724
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5956
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3500
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe5⤵PID:5304
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe5⤵PID:5840
-
-
-
C:\Windows\Prefetch\system.exeC:\Windows\Prefetch\system.exe4⤵PID:5372
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe5⤵PID:5476
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe5⤵PID:4684
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe5⤵PID:3432
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe5⤵PID:5476
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe5⤵PID:5008
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe5⤵PID:5008
-
-
-
C:\Windows\SysWOW64\drivers\explorer.exeC:\Windows\System32\drivers\explorer.exe4⤵
- Drops file in System32 directory
PID:1392 -
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe5⤵PID:4444
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe5⤵PID:1416
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe5⤵PID:5308
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe5⤵PID:5816
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe5⤵PID:5608
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe5⤵PID:4164
-
-
-
C:\Windows\System32\drivers\etc\explore.exeC:\Windows\System32\drivers\etc\explore.exe4⤵PID:4148
-
-
C:\Windows\Prefetch\system.exeC:\Windows\Prefetch\system.exe4⤵PID:6060
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe5⤵PID:432
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe5⤵PID:5324
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe5⤵PID:5792
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe5⤵PID:4892
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe5⤵PID:5740
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe5⤵PID:5752
-
-
-
C:\Windows\Help\csrss.exeC:\Windows\Help\csrss.exe4⤵PID:3204
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe5⤵PID:1956
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe5⤵PID:5540
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe5⤵PID:4984
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe5⤵PID:2792
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe5⤵PID:208
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe5⤵PID:4664
-
-
-
-
C:\Windows\Prefetch\system.exeC:\Windows\Prefetch\system.exe3⤵PID:5176
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe4⤵PID:5308
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe4⤵PID:5552
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe4⤵PID:5832
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6040
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe4⤵PID:5436
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe4⤵PID:2052
-
-
-
C:\Windows\Help\csrss.exeC:\Windows\Help\csrss.exe3⤵PID:4824
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe4⤵PID:4036
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe4⤵PID:5352
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe4⤵PID:5552
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe4⤵PID:5652
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe4⤵PID:3892
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe4⤵PID:784
-
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe C:\Windows\Prefetch\taskmgr.exe3⤵PID:3404
-
-
C:\Windows\SysWOW64\Restore\sysconfig.exeC:\Windows\System32\Restore\sysconfig.exe3⤵PID:5132
-
-
C:\Windows\SysWOW64\config\system.exeC:\Windows\System32\config\system.exe3⤵PID:4892
-
-
C:\Windows\System32\drivers\etc\explorer.exeC:\Windows\System32\drivers\etc\explorer.exe3⤵PID:6044
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe4⤵PID:3052
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe4⤵PID:5792
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe4⤵PID:5324
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe4⤵PID:5836
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe4⤵PID:5264
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe4⤵PID:5104
-
-
-
C:\Windows\Web\csrss.exeC:\Windows\Web\csrss.exe3⤵PID:5128
-
-
-
C:\Windows\Prefetch\taskmgr.exeC:\Windows\Prefetch\taskmgr.exe2⤵PID:1220
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe3⤵PID:4204
-
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe3⤵PID:5256
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe3⤵PID:5660
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5880
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe3⤵PID:1808
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe4⤵PID:5188
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe4⤵PID:5820
-
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5444
-
-
-
C:\Windows\SysWOW64\Restore\sysconfig.exeC:\Windows\System32\Restore\sysconfig.exe2⤵PID:4468
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe3⤵PID:6012
-
-
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe3⤵PID:3244
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe3⤵PID:2976
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe3⤵PID:5620
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe3⤵PID:2632
-
-
-
C:\Windows\SysWOW64\config\system.exeC:\Windows\System32\config\system.exe2⤵
- Drops file in System32 directory
PID:1556 -
C:\Windows\Web\explorer.exeC:\Windows\Web\explorer.exe3⤵PID:1332
-
-
C:\Windows\Microsoft.NET\Framework\system.exeC:\Windows\Microsoft.NET\Framework\system.exe3⤵PID:5324
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe3⤵PID:5988
-
-
C:\Windows\cursors\lsass.exeC:\Windows\cursors\lsass.exe3⤵PID:6060
-
-
-
C:\Windows\System32\drivers\etc\explorer.exeC:\Windows\System32\drivers\etc\explorer.exe2⤵PID:5852
-
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe1⤵PID:5672
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe1⤵PID:3488
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5500
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe1⤵PID:5256
-
C:\Windows\Fonts\explorer.exeC:\Windows\Fonts\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5436
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe1⤵PID:412
-
C:\Windows\System32\drivers\etc\stsystm.exeC:\Windows\System32\drivers\etc\stsystm.exe1⤵PID:3068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4208
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5527c8e9f1dc55effbe0a5c62494b5826
SHA19f663b03eaf3e1c377520564322599c564bdab3e
SHA256209a76fad6beb5d3320e0a4b9452b2c12ffb76592bc70e9ebbec659c12ea9e77
SHA512a87462c566a52eeaf7c0c98deca154262fffd16a5380a460fc43b629c1ed9ef275d9e0d5f7b3a01a724d5e61977f8d2933f8fff6560dbb709465083cd5a2f3f9
-
Filesize
64KB
MD5c3040de922a93b2d683f27423de26b9f
SHA13b4c0c6d388de68bc1ee49657e7ccd04e367e68e
SHA256481dfa28b43d92cb4c7decaf5fa5468ae96b1bcff173b4bce19ae92089d2bf1d
SHA5121bfc7e6b0b44f2bd44693fa37805feb75e99b40bbe234f5dae13a25eb325d0807266a11490df5175cb18b3afa3758a2111bf8c334a80a9298b40fe73a4a09a8a
-
Filesize
9B
MD59e9742780f7eac6d10ff0eb4d1817896
SHA151497c2b4bacafcdc7383f6957f1d6be6a4e2dae
SHA256d97303da840d2dfce966eb7173b43129d00f7566652dc61f45ab9c77dbfb5608
SHA5121342a71d99d583399662fd57057d3b53589035620fd6585a3f242bc53efe70be9a8a856bebcd7d207934ac508e8885d15ad28dba54ddd0cd040fbc8bb13b68af
-
Filesize
106KB
MD53963266117746beab6dd5b66696a135a
SHA145e4b3614f5a3b50af94a7951cc820720c57db9f
SHA256420bf0074bd44502304ad11385d074f80e04827529920c2ef9fe06e19c475f25
SHA5128f11f6c228a3ec6b578fe43405b0e5427cd051642081b91241e5444e3a3b34ee597ff96daf70a20766c56900dffa10e90281cad5f439b6853e5f51fd5977f761
-
Filesize
232B
MD57e63168cbad085e6a622185341172eec
SHA1da57dd0e3dc0f4d95a155abff78a10cc97cef27d
SHA25690556f6f078cb5838d64260161a24b647c92c8ba6eace5e337c8f0bbc832a8be
SHA512b88a97c00353e8d0b6c436d149bdef0f66ec6dd98b830aa10615ecc7c69dc8d8e81cfa120c745eb0ed708450178ca55eba180e0e595e37afbbafff8d38ffb00d