e9f8eaa5d20ba8d588ca0e05246d9bd6a4ab04f1d198e613ce5f512e55e8d782

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 14:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

32KB
MD5

a28578a343cc18414ae96edc47ff09d5
SHA1

9792c7fd8c4c41be63d1f4bad742a57c48ed0dfb
SHA256

e9f8eaa5d20ba8d588ca0e05246d9bd6a4ab04f1d198e613ce5f512e55e8d782
SHA512

79bf3d184ddbd5489d80edb8973af3eb5c3383997becdb6f98fc858785108ec8d6a50ca3f0bebb8f0119bd8505405a6f60c313cce0b2cf2d7716f72bed4e4d18
SSDEEP

384:8LipZl447piqb/lUYf5uH3w59AMRG5qUIjFgOrjFymqAeO8W8xlrG:dmiiqTfk2AMRGwlFgOrjsblK

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2364	attrib.exe
1108	attrib.exe
1736	attrib.exe
3060	attrib.exe
2724	attrib.exe
2476	attrib.exe
1968	attrib.exe
612	attrib.exe
2632	attrib.exe
2628	attrib.exe
3068	attrib.exe
2344	attrib.exe
2600	attrib.exe
2348	attrib.exe
2380	attrib.exe
516	attrib.exe
2188	attrib.exe
2152	attrib.exe
1608	attrib.exe
1768	attrib.exe
1728	attrib.exe
2388	attrib.exe
1672	attrib.exe
964	attrib.exe
2820	attrib.exe
1732	attrib.exe
1664	attrib.exe
1732	attrib.exe
1080	attrib.exe
2204	attrib.exe
1512	attrib.exe
1868	attrib.exe
1916	attrib.exe
2868	attrib.exe
2000	attrib.exe
2524	attrib.exe
2448	attrib.exe
2704	attrib.exe
2248	attrib.exe
1424	attrib.exe
860	attrib.exe
2760	attrib.exe
2364	attrib.exe
156	attrib.exe
772	attrib.exe
2976	attrib.exe
1616	attrib.exe
1268	attrib.exe
2432	attrib.exe
2464	attrib.exe
1556	attrib.exe
2440	attrib.exe
2180	attrib.exe
2456	attrib.exe
2304	attrib.exe
1124	attrib.exe
2760	attrib.exe
3056	attrib.exe
2888	attrib.exe
2728	attrib.exe
2760	attrib.exe
1408	attrib.exe
2520	attrib.exe
2908	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.zrz	cmd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.zrz	cmd.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.zrz	conhost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.zrz	attrib.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.zrz	attrib.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.zrz	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.zrz	conhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.zrz	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.zrz	conhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.zrz	attrib.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	1.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.zrz	attrib.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.zrz	cmd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	1.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.zrz	conhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	1.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.zrz	attrib.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	1.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.zrz	cmd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.zrz	attrib.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.zrz	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.zrz	attrib.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	1.exe
File created	C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.zrz	conhost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1172	ipconfig.exe
2188	ipconfig.exe
1896	ipconfig.exe
2300	ipconfig.exe
2452	ipconfig.exe
2856	ipconfig.exe
940	ipconfig.exe
2684	ipconfig.exe
2408	ipconfig.exe
2552	ipconfig.exe
2868	ipconfig.exe
1648	ipconfig.exe
2700	ipconfig.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
1884	taskkill.exe
1972	taskkill.exe
2152	taskkill.exe
2200	taskkill.exe
1220	taskkill.exe
2744	taskkill.exe
1268	taskkill.exe
2676	taskkill.exe
1600	taskkill.exe
2408	taskkill.exe
2784	taskkill.exe
2092	taskkill.exe
2732	taskkill.exe
2132	taskkill.exe
2280	taskkill.exe
2800	taskkill.exe
1800	taskkill.exe
2516	taskkill.exe
1220	taskkill.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	ipconfig.exe
Token: SeDebugPrivilege	1600	cmd.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	2732	conhost.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2200	cmd.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	1220	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2268	1.exe
2616	1.exe
2140	1.exe
2584	1.exe
2036	1.exe
268	1.exe
1104	1.exe
2496	1.exe
1900	1.exe
524	1.exe
1656	1.exe
2860	1.exe
1244	1.exe
2856	1.exe
604	1.exe
2232	1.exe
2680	1.exe
2324	1.exe
2756	1.exe
1504	1.exe
2088	1.exe
2104	1.exe
1608	1.exe
668	1.exe
2644	1.exe
2416	1.exe
1424	1.exe
2244	1.exe
1740	1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1068	2268	1.exe	28
PID 2268 wrote to memory of 1068	2268	1.exe	28
PID 2268 wrote to memory of 1068	2268	1.exe	28
PID 2268 wrote to memory of 1068	2268	1.exe	28
PID 2268 wrote to memory of 1672	2268	1.exe	30
PID 2268 wrote to memory of 1672	2268	1.exe	30
PID 2268 wrote to memory of 1672	2268	1.exe	30
PID 2268 wrote to memory of 1672	2268	1.exe	30
PID 2268 wrote to memory of 2004	2268	1.exe	32
PID 2268 wrote to memory of 2004	2268	1.exe	32
PID 2268 wrote to memory of 2004	2268	1.exe	32
PID 2268 wrote to memory of 2004	2268	1.exe	32
PID 2268 wrote to memory of 2280	2268	1.exe	34
PID 2268 wrote to memory of 2280	2268	1.exe	34
PID 2268 wrote to memory of 2280	2268	1.exe	34
PID 2268 wrote to memory of 2280	2268	1.exe	34
PID 2268 wrote to memory of 2800	2268	1.exe	36
PID 2268 wrote to memory of 2800	2268	1.exe	36
PID 2268 wrote to memory of 2800	2268	1.exe	36
PID 2268 wrote to memory of 2800	2268	1.exe	36
PID 2268 wrote to memory of 3020	2268	1.exe	38
PID 2268 wrote to memory of 3020	2268	1.exe	38
PID 2268 wrote to memory of 3020	2268	1.exe	38
PID 2268 wrote to memory of 3020	2268	1.exe	38
PID 2268 wrote to memory of 2776	2268	1.exe	40
PID 2268 wrote to memory of 2776	2268	1.exe	40
PID 2268 wrote to memory of 2776	2268	1.exe	40
PID 2268 wrote to memory of 2776	2268	1.exe	40
PID 2776 wrote to memory of 2552	2776	cmd.exe	42
PID 2776 wrote to memory of 2552	2776	cmd.exe	42
PID 2776 wrote to memory of 2552	2776	cmd.exe	42
PID 2776 wrote to memory of 2552	2776	cmd.exe	42
PID 2268 wrote to memory of 2344	2268	1.exe	43
PID 2268 wrote to memory of 2344	2268	1.exe	43
PID 2268 wrote to memory of 2344	2268	1.exe	43
PID 2268 wrote to memory of 2344	2268	1.exe	43
PID 2268 wrote to memory of 2616	2268	1.exe	45
PID 2268 wrote to memory of 2616	2268	1.exe	45
PID 2268 wrote to memory of 2616	2268	1.exe	45
PID 2268 wrote to memory of 2616	2268	1.exe	45
PID 2616 wrote to memory of 2832	2616	1.exe	46
PID 2616 wrote to memory of 2832	2616	1.exe	46
PID 2616 wrote to memory of 2832	2616	1.exe	46
PID 2616 wrote to memory of 2832	2616	1.exe	46
PID 2616 wrote to memory of 2492	2616	1.exe	48
PID 2616 wrote to memory of 2492	2616	1.exe	48
PID 2616 wrote to memory of 2492	2616	1.exe	48
PID 2616 wrote to memory of 2492	2616	1.exe	48
PID 2268 wrote to memory of 2440	2268	1.exe	50
PID 2268 wrote to memory of 2440	2268	1.exe	50
PID 2268 wrote to memory of 2440	2268	1.exe	50
PID 2268 wrote to memory of 2440	2268	1.exe	50
PID 2268 wrote to memory of 2520	2268	1.exe	150
PID 2268 wrote to memory of 2520	2268	1.exe	150
PID 2268 wrote to memory of 2520	2268	1.exe	150
PID 2268 wrote to memory of 2520	2268	1.exe	150
PID 2616 wrote to memory of 2976	2616	1.exe	152
PID 2616 wrote to memory of 2976	2616	1.exe	152
PID 2616 wrote to memory of 2976	2616	1.exe	152
PID 2616 wrote to memory of 2976	2616	1.exe	152
PID 2268 wrote to memory of 1108	2268	1.exe	56
PID 2268 wrote to memory of 1108	2268	1.exe	56
PID 2268 wrote to memory of 1108	2268	1.exe	56
PID 2268 wrote to memory of 1108	2268	1.exe	56

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1392	attrib.exe
2440	attrib.exe
2756	attrib.exe
1936	attrib.exe
2088	attrib.exe
2464	attrib.exe
516	attrib.exe
2492	attrib.exe
932	attrib.exe
1408	attrib.exe
456	attrib.exe
2868	attrib.exe
1108	attrib.exe
1768	attrib.exe
2912	attrib.exe
1616	attrib.exe
2548	attrib.exe
1732	attrib.exe
1556	attrib.exe
2844	attrib.exe
2760	attrib.exe
2000	attrib.exe
2104	attrib.exe
1664	attrib.exe
2432	attrib.exe
2204	attrib.exe
2908	attrib.exe
2976	attrib.exe
1968	attrib.exe
456	attrib.exe
2424	attrib.exe
1564	attrib.exe
2180	attrib.exe
668	attrib.exe
1912	attrib.exe
1956	attrib.exe
1896	attrib.exe
1664	attrib.exe
2976	attrib.exe
1440	attrib.exe
2416	attrib.exe
2744	attrib.exe
2716	attrib.exe
2432	attrib.exe
2824	attrib.exe
2416	attrib.exe
1408	attrib.exe
2196	attrib.exe
2760	attrib.exe
2160	attrib.exe
2600	attrib.exe
2248	attrib.exe
1688	attrib.exe
1080	attrib.exe
772	attrib.exe
1728	attrib.exe
1868	attrib.exe
2252	attrib.exe
2196	attrib.exe
2364	attrib.exe
2160	attrib.exe
1644	attrib.exe
1700	attrib.exe
1736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo --===Kuzja Report===-- > "C:\system.log"
  2⤵
  PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all >> "C:\system.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo --===Kuzja Report===-- > "C:\system.log"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /all >> "C:\system.log"
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      PID:2792
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:640
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:112
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2952
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2656
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:1648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:3028
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        7⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        8⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        8⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        9⤵
        Gathers network information
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        8⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        9⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        9⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        8⤵
        Drops file in Program Files directory
        
        PID:860
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        7⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2104
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        7⤵
        Sets file to hidden
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        7⤵
        Sets file to hidden
        
        PID:156
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        7⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2548
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        7⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1556
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        7⤵
        
        PID:2700
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        6⤵
        Sets file to hidden
        
        PID:2448
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1896
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        6⤵
        Sets file to hidden
        
        PID:1672
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2492
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        Sets file to hidden
        
        PID:2188
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:1488
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2180
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:1796
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.zrz"
        6⤵
        Sets file to hidden
        
        PID:2364
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.zrz"
        6⤵
        Sets file to hidden
        
        PID:964
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.zrz"
        6⤵
        
        PID:652
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\OIS.zrz"
        6⤵
        
        PID:1488
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.zrz"
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.zrz"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1732
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.zrz"
        6⤵
        
        PID:860
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        Drops file in Program Files directory
        
        PID:1488
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        5⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        5⤵
        
        PID:652
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        5⤵
        Sets file to hidden
        
        PID:2380
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2760
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:516
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:456
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.zrz"
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.zrz"
        5⤵
        Sets file to hidden
        
        PID:3060
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:932
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Install\{457A3A65-A1DA-4079-AD34-F52C28F93A8D}\chrome_installer.zrz"
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.zrz"
        5⤵
        Sets file to hidden
        
        PID:2344
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2424
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1868
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:744
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:584
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1768
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1680
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:2700
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        7⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        8⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        8⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2440
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        7⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        7⤵
        Sets file to hidden
        
        PID:2820
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        7⤵
        Views/modifies file attributes
        
        PID:2976
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        7⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        7⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        7⤵
        Sets file to hidden
        
        PID:2888
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        7⤵
        Sets file to hidden
        
        PID:2632
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1664
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1564
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        6⤵
        
        PID:112
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:1644
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2000
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2744
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1936
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:1920
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1688
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1392
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.zrz"
        6⤵
        Sets file to hidden
        
        PID:860
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.zrz"
        6⤵
        
        PID:2156
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1644
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.zrz"
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        5⤵
        Kills process with taskkill
        
        PID:1600
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "1.exe"
        5⤵
        Kills process with taskkill
        
        PID:2744
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
      4⤵
      PID:2520
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2976
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.zrz"
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.zrz"
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1616
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.zrz"
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1736
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.zrz"
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.zrz"
      4⤵
      Sets file to hidden
      PID:1512
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1728
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.zrz"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.zrz"
      4⤵
      Sets file to hidden
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.zrz"
      4⤵
      Sets file to hidden
      PID:3068
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.zrz"
      4⤵
      Sets file to hidden
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:2028
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:860
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2032
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:928
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:940
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:2300
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        7⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        Drops file in Program Files directory
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        8⤵
        Drops file in Program Files directory
        
        PID:964
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2252
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        6⤵
        
        PID:2744
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        6⤵
        Sets file to hidden
        
        PID:612
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:2836
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        Sets file to hidden
        
        PID:3056
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:1596
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2600
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        5⤵
        
        PID:2644
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:1568
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        Sets file to hidden
        
        PID:2760
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2196
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.zrz"
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2196
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.zrz"
        5⤵
        
        PID:276
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2364
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2160
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:2944
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "1.exe"
      4⤵
      Kills process with taskkill
      PID:1268
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.zrz"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1768
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.zrz"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2204
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.zrz"
    3⤵
    - Sets file to hidden
    - Drops file in Program Files directory
    - Views/modifies file attributes
    PID:772
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2912
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2908
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.zrz"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.zrz"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.zrz"
    3⤵
    - Views/modifies file attributes
    PID:1956
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.zrz"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.zrz"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.zrz"
    3⤵
    - Sets file to hidden
    - Drops file in Program Files directory
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:604
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2528
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2220
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1568
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2484
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2824
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        6⤵
        
        PID:1804
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        6⤵
        
        PID:2956
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        5⤵
        Sets file to hidden
        
        PID:2476
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1968
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2868
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2716
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:668
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1912
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.zrz"
        5⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.zrz"
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        Drops file in Program Files directory
        
        PID:3028
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
      4⤵
      Views/modifies file attributes
      PID:1408
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
      4⤵
      PID:112
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
      4⤵
      Sets file to hidden
      PID:2728
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
      4⤵
      Views/modifies file attributes
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.zrz"
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2248
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1408
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.zrz"
      4⤵
      Views/modifies file attributes
      PID:2416
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.zrz"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.zrz"
      4⤵
      Sets file to hidden
      PID:1124
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.zrz"
      4⤵
      Views/modifies file attributes
      PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:292
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        Drops file in Program Files directory
        
        PID:456
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1172
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2152
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
      4⤵
      Kills process with taskkill
      PID:2200
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "1.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.zrz"
  2⤵
  PID:2440
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.zrz"
  2⤵
  - Sets file to hidden
  PID:2520
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.zrz"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1108
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:948
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.zrz"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.zrz"
  2⤵
  PID:928
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:1620
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.zrz"
  2⤵
  - Views/modifies file attributes
  PID:2088
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.zrz"
  2⤵
  - Sets file to hidden
  PID:1732
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.zrz"
  2⤵
  - Sets file to hidden
  - Drops file in Program Files directory
  PID:2000
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.zrz"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2432
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.zrz"
  2⤵
  - Views/modifies file attributes
  PID:1440
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.zrz"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1080
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.zrz"
  2⤵
  - Drops file in Program Files directory
  PID:2812
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.zrz"
  2⤵
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo --===Kuzja Report===-- > "C:\system.log"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /all >> "C:\system.log"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2104
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:1392
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:936
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2072
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:3004
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
        5⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
        5⤵
        Sets file to hidden
        
        PID:2348
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
      4⤵
      Sets file to hidden
      PID:2456
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
      4⤵
      Views/modifies file attributes
      PID:2756
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
      4⤵
      Sets file to hidden
      PID:2152
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
      4⤵
      PID:1896
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
      4⤵
      Sets file to hidden
      PID:1268
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
      4⤵
      Sets file to hidden
      PID:1424
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
      4⤵
      Views/modifies file attributes
      PID:2432
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
      4⤵
      Sets file to hidden
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.zrz"
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
      4⤵
      Views/modifies file attributes
      PID:2844
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.zrz"
    3⤵
    - Sets file to hidden
    PID:2388
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2160
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.zrz"
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.zrz"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
    3⤵
    - Sets file to hidden
    PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
    3⤵
    - Sets file to hidden
    PID:2704
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
    3⤵
    - Sets file to hidden
    PID:2760
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.zrz"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.zrz"
    3⤵
    - Sets file to hidden
    PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.zrz"
    3⤵
    - Views/modifies file attributes
    PID:456
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.zrz"
    3⤵
    PID:860
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\misc.zrz"
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.zrz"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.zrz"
    3⤵
    PID:1892
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
    3⤵
    - Kills process with taskkill
    PID:1220
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
  2⤵
  - Kills process with taskkill
  PID:2408
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im "1.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1306295639-900513851148040900319572729141434940353-18774744851420037449-466325046"
1⤵
PID:1428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "56864908-11172655810618057531072904219582780526-1493500427933385577-1364042442"
1⤵
PID:940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16195534472112731705-210123203731143932113012825121564783897914494961598952225"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "438162575-1106106722-1981160596-61119261-3742446591084878601-978348852-261572672"
1⤵
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1186855539-18326143811809335867519435993-1364555644-1979588329-1054442162-103710264"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14040668671174144033307797582-2024757858-864217508568017429-187367726690566607"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-201186692-1872055253-493352357-1651846660-674648696525837114532922304-83563346"
1⤵
PID:2424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1451433263-2622740671307833800-4210899641401796434-11031399741757230834-2066374658"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14610112101543911264942355442-1941666622-2108342627-2100394324-531192830-717821349"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15065516541509857676-2034754676139614461218065190541237053411192045612899270567"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6018070011414727389209853901543824673916234882291671604789880623903-1521906680"
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20450309031390067937-314042535161124472711546585395478366117551374591127363475"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6209146178741140642000733052-1413930281-256946286379318813-1948372907-1895064165"
1⤵
PID:752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8707569004313207631719184219-20550489871480461190603282365-2141894287947920471"
1⤵
- Drops file in Program Files directory
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-155551702213136556341451236018-853976762-121038084210491903171840649519-540537355"
1⤵
PID:2040

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1992497937-1376081561569900231-2081856864-16108220478862679867644030671766722772"
1⤵
PID:2696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13458711332615217821206380318-160490108466940914015202591911814189338-1165108425"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-120132546-130235643-1319173659-1249859624-1790217682-1250543561-76918052-1378390613"
1⤵
PID:1152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21340054411682167690-1458534139-1877160715139343227215407129051451876169468395629"
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1857546016611512360420582481194051-3924142532077577469-1105832802-1813080472"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1407730938-1717406752584487375-1175165421722021261-1413913672-288873471204504449"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "806753256-201541174466529926-18938776341362753732-7944261886102734871420494156"
1⤵
PID:920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2056664002143066920-1299139692-114651975112590151841247130182465493435-2085667781"
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8198506311052140638-19051117551588222974-1726193663946188695-7127289941512507439"
1⤵
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6778687141553035526434904893-3348726221099347272558738871-12575143361291117948"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "178887318-13299172811076016392-172026407-1689799031-10255286012020118669-1503697711"
1⤵
PID:2380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1867477053-234500921313813464174343481003655752-18269259881871277380-205151367"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "830356523-178340167-379344828904532618171959770042125912868506282-1835907841"
1⤵
PID:1888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1052929824-21347048108327384351810342229351630416-336755919124169844665812684"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "985789885-90981301534494380216063960281048443528-55982458616628377271564606803"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9977239741787518561-15594393077546303857675393189775020477526783952105781675"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1153470316-9903715217694246862117969809114500649136356743-5620918621698731697"
1⤵
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12480701651988329055-1326004072213172139104791385719381171192039403389-1762787304"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1395224203-899871637-206129442714655354226714003868284174231861318988-257615338"
1⤵
PID:1796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7530125294990181811994848959-1666106584-208355417638030832232302247428262753"
1⤵
PID:584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "746648546873708119308611257524599275003583441577256089-10803875781126149709"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "830650746-1288003935-1644423779-291258204-18200271371583220319-1511133687-2127062016"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "201379562-1615448137-643694562-15386412291139482643-1663115036919784608-1843674336"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1571045696-1712317010-19212517321280907169253294122-152937689610500661131482488412"
1⤵
- Drops file in Program Files directory
PID:276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20443424465820176051192239825306044863-1804731128-1295072333-135981830-2075633113"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1947458396-132212098319810756631510312719-696160479261147555-15771168921808032047"
1⤵
PID:112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1614638895-1119280821577961013-1575871260-14133410721212581738-1214298873-1953660446"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1088364373-1956895611-2108172798-740568793-1042751693-4167390461851667899-1757321826"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "195520936113560334514730136011395317801039128571-1700579617-1641392135-264570528"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1596211327-399553059-1748379722-382104347-1754581055-699569526762506682-2027865573"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "26164877419808054602075147336-198057400021457608872675156-1447693702-202019077"
1⤵
PID:744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "127006371513092530719261001641108071612-23724067453952651-16642813181609180679"
1⤵
PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4935203-440856227-2118453237-8161249065475349241721748153-1252194542363685720"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-163287272715147511831765535851-94336520015285400022145488638-13951519311908509128"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-90425232-6475681701284869375-178611464519767704651651322296-472761635-286241093"
1⤵
PID:940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2515213971873396641935970496462324589-85681403-1868300852238392001-164344963"
1⤵
PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1166740457-15759898628519468434461681411204723085-345696034-990445998865942618"
1⤵
PID:1264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "117341559618327461182041590964-6647100501809558710-20242252204287167431515445246"
1⤵
- Drops file in Program Files directory
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-604972952-1573880854-1326800501-1689704487-13481028262534637841341655351-888581025"
1⤵
PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1272595060402969037-8015328517652179802130848362-1448197667-1721592211577692826"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "138653783974200183512819394791492034540175797871186316283934445494-398050046"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-704082639-819146796-341171348-1383188789-44315555418568221101204716082814001994"
1⤵
PID:1468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "35929029-397969666-20216343720969801581179973303663417648-1818347275601970503"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1694956904-1468773815-244582671977809255-34209740321068480151039479724-1829767857"
1⤵
- Drops file in Program Files directory
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "678411284933685285-264247089-17792359421089877050218632462-469061507-1648235679"
1⤵
- Drops file in Program Files directory
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2097455414-692849838-814611486679736063-111871157-17833119066963446731877493068"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12840708811328489976-5231783952113840015-1081173345-1629789898-12695516151492099988"
1⤵
PID:1444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "328881684-18382290252073376489151522486514681904461302520953-7059050441919385306"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1791556274-1929414908-1239098425-1922821679196343414220291133432029671007-787083358"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-194587580-54530585720401585501796541273210070416-1395212090-5282322801893461897"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1174900078-485672907-1966203715-522374282906457893-2110153368269291306-221411975"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8889240-2867055401975275201-1237375578-1066850021-17582029161669773662-1153150491"
1⤵
PID:932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-689589638-7008980352088067139-50156231515172893762050591067-1074278014697477343"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1994586113978853077-62939279535514054719769551291857321852-183870529345841002"
1⤵
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe

Filesize
32KB

MD5
a28578a343cc18414ae96edc47ff09d5

SHA1
9792c7fd8c4c41be63d1f4bad742a57c48ed0dfb

SHA256
e9f8eaa5d20ba8d588ca0e05246d9bd6a4ab04f1d198e613ce5f512e55e8d782

SHA512
79bf3d184ddbd5489d80edb8973af3eb5c3383997becdb6f98fc858785108ec8d6a50ca3f0bebb8f0119bd8505405a6f60c313cce0b2cf2d7716f72bed4e4d18

Download Submit
C:\system.log

Filesize
61B

MD5
8070b69eec39e2dbea0f1ceca52779af

SHA1
e2dd1e42c991640b6b50ffa9e220afc6e8c8bfdb

SHA256
3696794c8aa3dd280cddd04321bbc98a8efdda93f3e64a1f9b1a10d1bea11b79

SHA512
7d64f4e78017975a683834f4e72937a03b4932f8050ca082b13fc5ca66700b1bb6217938227e0654ea6ee5382903c2fc095a9f89c577d754f8244397f7020479

Download Submit
C:\system.log

Filesize
70B

MD5
a16120de5ed668c40899be2038759357

SHA1
5617ab44ff30c8f962387abb56469ca024fa2115

SHA256
f094df98b39483773d803f1ec87583329a7fab21d7dd8d47b06e984f28cb4c4e

SHA512
adf9776d08e736219d5b5e2049e97dad643614ca316883e0fa4922209d47b3ebc9d0fe36cc05f8eb30c515b3a1a442b30222c8b99772f457c721b64f4ede1731

Download Submit
C:\system.log

Filesize
79B

MD5
24d18cab4f7d267a84470c719513d6f5

SHA1
1e72e159117c294868518ccdaf94f8daafeb45f6

SHA256
887bb426b306e3e94f13c7cfbee7af62a322351fa7690f8bcea2b74557378c1c

SHA512
418569f633c6818b0b137faadd814dca050fd81c44db951fbcda8208b3480477e23d0f76533abc988a2aa4a214c92a9c05cc7139466cf363eab93aead5358aba

Download Submit
C:\system.log

Filesize
88B

MD5
4c0be92869a8dd3e36f51cbb2e6b6e5c

SHA1
54661a1a619e1c7e9fa4a646d6389dc431d695ac

SHA256
6b731e53001009247d29bca16ae230e68678c42471abb9a99a5cad684eb8f0d9

SHA512
6b003f03a60687e1e4810f0fb4f31dd4ec2635439df9580bdbe3664d044b0f497d29eb6159c5e09aed49d2c80ae5f80d1af864c89e733d3a0b003309fe94c96c

Download Submit
C:\system.log

Filesize
1KB

MD5
ba011c427eb3bbbf8d3cc43307b52a47

SHA1
db77695fe50d87b9c19497af0591362806e7c419

SHA256
14c7ceab3e1705f3f733854665608d673bb8462a4769a1a55433ff7f604bc4e1

SHA512
3136da49fa835c356175ddcf13664ea1a759d35706f070b60b3e0d13f1256ebb1e6b4f12cbfcfc22b9c4eb5c1b70b42b6d01b5a0238690a90007e0a9b373a389

Download Submit
C:\system.log

Filesize
97B

MD5
a7617869323cc906305ebdf6693d4200

SHA1
2a62c5ba8758ec98d87e5e1c7c14f979addf62ba

SHA256
715a7ab73bf9e437dce81805ab8debce642f03d34d1d81c2de2523970574160d

SHA512
8c02b3c56087d30b54a5d815d811311521c3b65631caaf149d38b4ad25cacedccf3008bfbe88a18392107d91b8ed64cb6622720011601e9474bdc044e67fc8f2

Download Submit
C:\system.log

Filesize
106B

MD5
6013effbd1c181fa3d4191e42683e797

SHA1
32b9ca867fcd22557fbe01d93b3f953a6cd048e1

SHA256
075c0b43ecaf85e0d03a979768e90b94e735dfb601c1ed091a25c4c2e593c954

SHA512
a860cd7c69b756278fe2f2edb9f97d326de35847a7d745613870420bf1b0780a235e439877c8d4c2fcdfbab9082553465e210268ccdfc4cd77f8405f3551a876

Download Submit
C:\system.log

Filesize
1KB

MD5
693c6b88d26c5c830a6c199d078cce5a

SHA1
a51446b0d571760b0e709771122c833037d4b06d

SHA256
41ac80c8e606fc62a2beeaa2ecd1b063afc5a81b5289f28a26d154acddee9784

SHA512
16fef73b3cb9ca18ed54ca53a6e286f41980b4de9b17fe85772ffe65dfae379ac3ffe55ae0e38c3c7b4e4eb42bdfa1918a38dc2407e34f19670c710995180399

Download Submit
C:\system.log

Filesize
2KB

MD5
b6bc7437c547ce54deafaba4f5995a8f

SHA1
02ffc5597859c3407be8b9f0096d1a1ca89d30b5

SHA256
1f67f9bd772cadb45a532390e78e4c764d3d7793dce05569e3f8a24ed6af52eb

SHA512
e3215733334b0420b22601caaa11d14e1001d046a6b5befce16e48de0fceb839d851a5d941af0f81c1f3209467dc86cdb24087e34d6888f66e64abdb990c26a7

Download Submit
C:\system.log

Filesize
4KB

MD5
ab7188e984fadbecdfe3c44a95c0572f

SHA1
172627a6b320cd7b1fb339f5ced0e0b713993391

SHA256
d827588ef73f37e9f845772be305d8c1c3a5f77bd6c40b2b22ec9ab0075c5f31

SHA512
8ebfde579efa39ed8843a987c0d7ae5ec4c51cfce499c64d6312f0105e56c3be305c4b9c837c6413acc22b043ba78e844ab6dbfebdaeb423aa594264eb6381e3

Download Submit
C:\system.log

Filesize
4KB

MD5
e72c8b07c03138f1b72742f1292a27b6

SHA1
6e044cf1cafe3a3182be52e1c6c272afff52819b

SHA256
97b36a717790329b054c49ce68413e02051eaf57d29f815a9300a8aaf38d8be2

SHA512
ef0f9f68c493216807dfcda23857ccb80720650bcedf561edfec1ef05e95a4156276c8675e5bd321a09a0cdff147aa50914c831ef8918aadcb2cbb4bbc38cdcb

Download Submit
C:\system.log

Filesize
4KB

MD5
dada11196397bb379d5c6144b202cf5f

SHA1
05993255a7dc645ae09f4bde3b060bdd0158701d

SHA256
11d7fd5a4dab9d26455d041caeae471f934ef3b583fd75754161d71e55d86a37

SHA512
56d71a3bd80d02905ed508ad15bec72fd7b894e33e56d8b1c3cfce3831b6c070ff182dfcaab393c03c914374517154c5deb9cc86f8db626cbd3714729d59453f

Download Submit
C:\system.log

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\system.log

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\system.log

Filesize
43B

MD5
57127ac0be9bfcd1ea5735989ea7cd1c

SHA1
e4e79fafe540c7839ad8e575b83817869193e7b1

SHA256
2c1e54fa62f626b5278722adfd5811073f67c776992716d98c073a990104fc26

SHA512
f922a206ff162cb3978ae94b8f082fcd6288783a8b8fa37a2ee713d02008bccb76810dd3063f38e0dd450293ff28863404d362fbcfbb229e1271e7c303bb6220

Download Submit
C:\system.log

Filesize
52B

MD5
2e4bb0cbe5a62a8b15d9fd4f80250c4f

SHA1
27ee76c6b1760b74595da3e27ecc5acce434b5c7

SHA256
74fadd54de220b3e790ddd85c20139f310a7d7c342c514da3546af689414b516

SHA512
b33199cd03c20a9bff1770dcee5ec0c3ca26da3cc1de5be4d75250a359c74603ffc8969b1bf21d9de09dda52e29a4707165c5307581a0fa4402504a61daaedbe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads