e9f8eaa5d20ba8d588ca0e05246d9bd6a4ab04f1d198e613ce5f512e55e8d782

Analysis

max time kernel
550s
max time network
553s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
03/01/2024, 14:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

32KB
MD5

a28578a343cc18414ae96edc47ff09d5
SHA1

9792c7fd8c4c41be63d1f4bad742a57c48ed0dfb
SHA256

e9f8eaa5d20ba8d588ca0e05246d9bd6a4ab04f1d198e613ce5f512e55e8d782
SHA512

79bf3d184ddbd5489d80edb8973af3eb5c3383997becdb6f98fc858785108ec8d6a50ca3f0bebb8f0119bd8505405a6f60c313cce0b2cf2d7716f72bed4e4d18
SSDEEP

384:8LipZl447piqb/lUYf5uH3w59AMRG5qUIjFgOrjFymqAeO8W8xlrG:dmiiqTfk2AMRGwlFgOrjsblK

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4848	attrib.exe
4596	attrib.exe
1792	attrib.exe
2988	attrib.exe
4544	attrib.exe
6104	attrib.exe
2740	attrib.exe
7888	attrib.exe
3776	attrib.exe
2484	attrib.exe
1708	attrib.exe
5740	attrib.exe
5736	attrib.exe
6208	attrib.exe
6448	attrib.exe
4328	attrib.exe
4292	attrib.exe
5216	attrib.exe
5960	attrib.exe
6928	attrib.exe
6584	attrib.exe
5704	attrib.exe
3776	attrib.exe
5100	attrib.exe
5920	attrib.exe
2152	attrib.exe
1112	attrib.exe
6764	attrib.exe
2816	attrib.exe
3556	attrib.exe
3904	attrib.exe
4192	attrib.exe
3980	attrib.exe
6292	attrib.exe
2008	attrib.exe
2304	attrib.exe
5208	attrib.exe
1008	attrib.exe
3984	attrib.exe
6536	attrib.exe
4480	attrib.exe
752	attrib.exe
2832	attrib.exe
4736	attrib.exe
3812	attrib.exe
5704	attrib.exe
988	attrib.exe
6832	attrib.exe
5204	attrib.exe
5328	attrib.exe
3860	attrib.exe
5208	attrib.exe
5940	attrib.exe
5800	attrib.exe
5728	attrib.exe
6308	attrib.exe
7392	attrib.exe
2840	attrib.exe
5604	attrib.exe
5684	attrib.exe
4452	attrib.exe
2060	attrib.exe
4916	attrib.exe
5224	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.zrz	Conhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedge.zrz	Conhost.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe	1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\elevation_service.zrz	cmd.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	1.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.zrz	attrib.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.zrz	attrib.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.zrz	Conhost.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe	1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.zrz	attrib.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\cookie_exporter.zrz	attrib.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\cookie_exporter.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	1.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	1.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.zrz	Conhost.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\elevation_service.exe	1.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedge.exe	1.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	1.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	1.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.zrz	Process not Found
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.zrz	attrib.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.zrz	attrib.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	1.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.zrz	attrib.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\pwahelper.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.zrz	attrib.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	1.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	1.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	1.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.zrz	Conhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge_proxy.zrz	cmd.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1116	ipconfig.exe
3416	ipconfig.exe
1312	ipconfig.exe
1048	ipconfig.exe
6676	ipconfig.exe

Kills process with taskkill 33 IoCs

evasion

pid	Process
2904	taskkill.exe
4124	taskkill.exe
1116	taskkill.exe
7092	taskkill.exe
6272	taskkill.exe
6432	taskkill.exe
6548	taskkill.exe
7004	taskkill.exe
6960	taskkill.exe
4596	taskkill.exe
5952	taskkill.exe
6656	taskkill.exe
5680	taskkill.exe
2328	taskkill.exe
4740	taskkill.exe
4316	taskkill.exe
5036	taskkill.exe
6384	taskkill.exe
6176	taskkill.exe
1872	taskkill.exe
6112	taskkill.exe
3724	taskkill.exe
400	taskkill.exe
4784	taskkill.exe
6900	taskkill.exe
6728	taskkill.exe
3772	taskkill.exe
5424	taskkill.exe
2944	taskkill.exe
3024	taskkill.exe
5500	taskkill.exe
6568	taskkill.exe
7816	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	Conhost.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2944	attrib.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	4784	Conhost.exe
Token: SeDebugPrivilege	3024	cmd.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeDebugPrivilege	4124	cmd.exe
Token: SeDebugPrivilege	1116	attrib.exe
Token: SeDebugPrivilege	4596	attrib.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	5036	firefox.exe
Token: SeDebugPrivilege	6272	taskkill.exe
Token: SeDebugPrivilege	6384	taskkill.exe
Token: SeDebugPrivilege	6728	taskkill.exe
Token: SeDebugPrivilege	6432	Conhost.exe
Token: SeDebugPrivilege	6548	Conhost.exe
Token: SeDebugPrivilege	6656	taskkill.exe
Token: SeDebugPrivilege	5500	taskkill.exe
Token: SeDebugPrivilege	6176	Conhost.exe
Token: SeDebugPrivilege	5680	cmd.exe
Token: SeDebugPrivilege	7004	taskkill.exe
Token: SeDebugPrivilege	6960	attrib.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	6568	taskkill.exe
Token: SeDebugPrivilege	7092	taskkill.exe
Token: SeDebugPrivilege	6900	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	5424	taskkill.exe
Token: SeDebugPrivilege	7816	taskkill.exe
Token: SeDebugPrivilege	6280	firefox.exe
Token: SeDebugPrivilege	6280	firefox.exe
Token: SeDebugPrivilege	6280	firefox.exe
Token: SeDebugPrivilege	6280	firefox.exe
Token: SeDebugPrivilege	6280	firefox.exe
Token: SeDebugPrivilege	6280	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
6280	firefox.exe
6280	firefox.exe
6280	firefox.exe
6280	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
6280	firefox.exe
6280	firefox.exe
6280	firefox.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
1300	1.exe
3916	1.exe
1560	1.exe
5068	1.exe
2916	1.exe
1724	1.exe
3080	1.exe
4948	1.exe
3192	1.exe
5480	1.exe
5968	1.exe
5884	1.exe
5528	1.exe
5592	1.exe
2152	1.exe
5012	1.exe
3828	1.exe
688	1.exe
3020	1.exe
1012	1.exe
240	1.exe
5148	1.exe
5656	1.exe
1540	1.exe
5144	1.exe
1612	1.exe
6972	1.exe
6904	1.exe
7156	1.exe
6924	1.exe
3376	1.exe
6820	1.exe
7144	1.exe
2616	1.exe
5688	1.exe
7568	1.exe
6280	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1224	1300	1.exe	79
PID 1300 wrote to memory of 1224	1300	1.exe	79
PID 1300 wrote to memory of 1224	1300	1.exe	79
PID 1300 wrote to memory of 1456	1300	1.exe	81
PID 1300 wrote to memory of 1456	1300	1.exe	81
PID 1300 wrote to memory of 1456	1300	1.exe	81
PID 1300 wrote to memory of 4384	1300	1.exe	83
PID 1300 wrote to memory of 4384	1300	1.exe	83
PID 1300 wrote to memory of 4384	1300	1.exe	83
PID 1300 wrote to memory of 2476	1300	1.exe	85
PID 1300 wrote to memory of 2476	1300	1.exe	85
PID 1300 wrote to memory of 2476	1300	1.exe	85
PID 1300 wrote to memory of 2312	1300	1.exe	87
PID 1300 wrote to memory of 2312	1300	1.exe	87
PID 1300 wrote to memory of 2312	1300	1.exe	87
PID 1300 wrote to memory of 3784	1300	1.exe	90
PID 1300 wrote to memory of 3784	1300	1.exe	90
PID 1300 wrote to memory of 3784	1300	1.exe	90
PID 1300 wrote to memory of 3520	1300	1.exe	92
PID 1300 wrote to memory of 3520	1300	1.exe	92
PID 1300 wrote to memory of 3520	1300	1.exe	92
PID 3520 wrote to memory of 1116	3520	cmd.exe	94
PID 3520 wrote to memory of 1116	3520	cmd.exe	94
PID 3520 wrote to memory of 1116	3520	cmd.exe	94
PID 1300 wrote to memory of 400	1300	1.exe	95
PID 1300 wrote to memory of 400	1300	1.exe	95
PID 1300 wrote to memory of 400	1300	1.exe	95
PID 1300 wrote to memory of 3916	1300	1.exe	97
PID 1300 wrote to memory of 3916	1300	1.exe	97
PID 1300 wrote to memory of 3916	1300	1.exe	97
PID 1300 wrote to memory of 4608	1300	1.exe	98
PID 1300 wrote to memory of 4608	1300	1.exe	98
PID 1300 wrote to memory of 4608	1300	1.exe	98
PID 3916 wrote to memory of 1112	3916	1.exe	101
PID 3916 wrote to memory of 1112	3916	1.exe	101
PID 3916 wrote to memory of 1112	3916	1.exe	101
PID 1300 wrote to memory of 3776	1300	1.exe	100
PID 1300 wrote to memory of 3776	1300	1.exe	100
PID 1300 wrote to memory of 3776	1300	1.exe	100
PID 1300 wrote to memory of 2372	1300	1.exe	172
PID 1300 wrote to memory of 2372	1300	1.exe	172
PID 1300 wrote to memory of 2372	1300	1.exe	172
PID 1300 wrote to memory of 1804	1300	1.exe	106
PID 1300 wrote to memory of 1804	1300	1.exe	106
PID 1300 wrote to memory of 1804	1300	1.exe	106
PID 1300 wrote to memory of 2008	1300	1.exe	108
PID 1300 wrote to memory of 2008	1300	1.exe	108
PID 1300 wrote to memory of 2008	1300	1.exe	108
PID 1300 wrote to memory of 4088	1300	1.exe	179
PID 1300 wrote to memory of 4088	1300	1.exe	179
PID 1300 wrote to memory of 4088	1300	1.exe	179
PID 3916 wrote to memory of 4220	3916	1.exe	112
PID 3916 wrote to memory of 4220	3916	1.exe	112
PID 3916 wrote to memory of 4220	3916	1.exe	112
PID 3916 wrote to memory of 4916	3916	1.exe	114
PID 3916 wrote to memory of 4916	3916	1.exe	114
PID 3916 wrote to memory of 4916	3916	1.exe	114
PID 3916 wrote to memory of 1880	3916	1.exe	116
PID 3916 wrote to memory of 1880	3916	1.exe	116
PID 3916 wrote to memory of 1880	3916	1.exe	116
PID 3916 wrote to memory of 1600	3916	1.exe	118
PID 3916 wrote to memory of 1600	3916	1.exe	118
PID 3916 wrote to memory of 1600	3916	1.exe	118
PID 3916 wrote to memory of 2916	3916	1.exe	185

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
916	attrib.exe
3936	attrib.exe
6584	attrib.exe
5328	attrib.exe
2248	attrib.exe
4484	attrib.exe
7504	attrib.exe
4616	attrib.exe
4652	attrib.exe
3980	attrib.exe
5980	attrib.exe
5960	attrib.exe
2864	attrib.exe
1228	attrib.exe
3472	attrib.exe
5572	attrib.exe
5324	attrib.exe
3872	attrib.exe
5940	attrib.exe
3236	attrib.exe
2704	attrib.exe
3860	attrib.exe
3776	attrib.exe
5488	attrib.exe
6228	attrib.exe
1192	attrib.exe
2008	attrib.exe
5712	attrib.exe
3464	attrib.exe
6308	attrib.exe
6896	attrib.exe
7392	attrib.exe
4068	attrib.exe
6208	attrib.exe
4544	attrib.exe
5064	attrib.exe
5796	attrib.exe
2944	attrib.exe
5676	attrib.exe
2304	attrib.exe
3164	attrib.exe
4328	attrib.exe
5756	attrib.exe
4528	attrib.exe
5180	attrib.exe
5856	attrib.exe
3812	attrib.exe
5812	attrib.exe
5928	attrib.exe
5216	attrib.exe
4352	attrib.exe
3396	attrib.exe
7088	attrib.exe
5272	attrib.exe
5768	attrib.exe
4916	attrib.exe
1980	attrib.exe
4216	attrib.exe
1112	attrib.exe
6868	attrib.exe
2740	attrib.exe
5172	attrib.exe
2192	attrib.exe
2384	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo --===Kuzja Report===-- > "C:\system.log"
  2⤵
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:4384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:3784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /all >> "C:\system.log"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo \\\/// >> "C:\system.log"
  2⤵
  PID:400
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo --===Kuzja Report===-- > "C:\system.log"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /all >> "C:\system.log"
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      PID:4068
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2864
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:4108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3348
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:3728
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1720
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5884
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:4848
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2164
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5376
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:916
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1760
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:5800
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5096
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Drops file in Program Files directory
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:8188
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        6⤵
        Sets file to hidden
        
        PID:4192
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        Sets file to hidden
        
        PID:5684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5324
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        
        PID:6408
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:5784
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:5940
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:5820
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        6⤵
        
        PID:3196
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        6⤵
        
        PID:5072
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6584
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        6⤵
        
        PID:6388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2164
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        6⤵
        
        PID:6412
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        6⤵
        
        PID:3784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5920
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        6⤵
        
        PID:5232
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:7976
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        6⤵
        
        PID:6344
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        
        PID:6960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Drops file in Program Files directory
        
        PID:2704
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        5⤵
        Sets file to hidden
        
        PID:5208
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        5⤵
        Sets file to hidden
        
        PID:5604
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:3488
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        Sets file to hidden
        
        PID:1008
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:5232
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:5668
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        Sets file to hidden
        
        PID:5940
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\cookie_exporter.zrz"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1112
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\elevation_service.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4916
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6048
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\identity_helper.zrz"
        5⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge.zrz"
        5⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedgewebview2.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5324
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge_proxy.zrz"
        5⤵
        Sets file to hidden
        
        PID:2988
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge_pwa_launcher.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5712
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5012
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:4580
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6540
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5464
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:4224
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6224
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2076
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:5796
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:3376
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:5200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:4692
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        6⤵
        Sets file to hidden
        
        PID:752
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6252
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        6⤵
        
        PID:4064
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4256
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6960
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:5808
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:1192
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        6⤵
        
        PID:1412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5432
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        6⤵
        
        PID:6608
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:5928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2740
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        6⤵
        
        PID:6816
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        6⤵
        
        PID:436
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:4484
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        6⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:7440
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        6⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1048
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7816
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\notification_helper.zrz"
        5⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        5⤵
        Kills process with taskkill
        
        PID:5036
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      Sets file to hidden
      PID:2484
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.zrz"
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.zrz"
      4⤵
      PID:1312
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.zrz"
      4⤵
      Views/modifies file attributes
      PID:4068
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.zrz"
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.zrz"
      4⤵
      Drops file in Program Files directory
      PID:4640
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.zrz"
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.zrz"
      4⤵
      Drops file in Program Files directory
      PID:504
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.zrz"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:3936
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.zrz"
      4⤵
      Sets file to hidden
      PID:2060
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.zrz"
      4⤵
      PID:2960
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\Install\{2E3E7081-BC13-414C-81EB-2631783D380A}\chrome_installer.zrz"
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.zrz"
      4⤵
      PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:3192
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5036
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3120
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:4220
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5680
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5224
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5592
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:5664
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6092
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:6724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3784
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        6⤵
        Sets file to hidden
        
        PID:6536
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        Sets file to hidden
        
        PID:5728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        6⤵
        
        PID:1156
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:5796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6548
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:5416
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:2248
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:6132
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        6⤵
        
        PID:1572
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        6⤵
        
        PID:6584
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        6⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1708
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        6⤵
        
        PID:6864
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        6⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5272
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:6228
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:5856
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        6⤵
        
        PID:2376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:6072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Drops file in Program Files directory
        
        PID:5628
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1088
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        5⤵
        
        PID:5848
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        5⤵
        Sets file to hidden
        
        PID:3904
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:4652
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3980
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2304
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:5908
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:748
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.zrz"
        5⤵
        
        PID:5252
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.zrz"
        5⤵
        
        PID:4112
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Installer\setup.zrz"
        5⤵
        Sets file to hidden
        
        PID:5920
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\cookie_exporter.zrz"
        5⤵
        
        PID:5144
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5488
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5812
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.zrz"
        5⤵
        
        PID:4272
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge_pwa_launcher.zrz"
        5⤵
        
        PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:6252
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5672
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6520
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:4628
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:6564
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:7992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6656
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4784
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
      4⤵
      Kills process with taskkill
      PID:3024
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.zrz"
    3⤵
    - Sets file to hidden
    PID:4736
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.zrz"
    3⤵
    - Sets file to hidden
    PID:1792
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.zrz"
    3⤵
    - Sets file to hidden
    PID:3984
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.zrz"
    3⤵
    - Sets file to hidden
    PID:2152
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.zrz"
    3⤵
    - Views/modifies file attributes
    PID:3472
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.zrz"
    3⤵
    - Views/modifies file attributes
    PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.zrz"
    3⤵
    - Views/modifies file attributes
    PID:4616
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2944
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.zrz"
    3⤵
    - Views/modifies file attributes
    PID:916
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
    3⤵
    PID:1404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4088
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    - Sets file to hidden
    PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.zrz"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.zrz"
    3⤵
    - Sets file to hidden
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      PID:5072
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3556
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:4064
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:4628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1428
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4216
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:5204
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5528
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:5492
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:4384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6620
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6140
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3980
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5336
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:5100
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:1448
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        
        PID:6652
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        6⤵
        
        PID:5100
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        6⤵
        Sets file to hidden
        
        PID:6292
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:6248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1936
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        Views/modifies file attributes
        
        PID:3236
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2344
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        
        PID:4848
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:5864
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        6⤵
        Sets file to hidden
        
        PID:2816
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        6⤵
        Sets file to hidden
        
        PID:4480
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        6⤵
        
        PID:1688
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        6⤵
        Sets file to hidden
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3488
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        6⤵
        
        PID:6324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5836
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        6⤵
        
        PID:6648
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:6860
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        6⤵
        
        PID:6720
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        6⤵
        
        PID:5664
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6568
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5768
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        5⤵
        
        PID:5172
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3776
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4724
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        5⤵
        Sets file to hidden
        
        PID:6104
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        
        PID:5136
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        Sets file to hidden
        
        PID:4848
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        
        PID:5128
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\pwahelper.zrz"
        5⤵
        Sets file to hidden
        
        PID:5736
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.zrz"
        5⤵
        Drops file in Program Files directory
        
        PID:5636
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:2384
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.zrz"
        5⤵
        Drops file in Program Files directory
        
        PID:1568
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.zrz"
        5⤵
        
        PID:2768
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5668
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\identity_helper.zrz"
        5⤵
        
        PID:5368
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\notification_helper.zrz"
        5⤵
        Sets file to hidden
        
        PID:988
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        
        PID:3512
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1012
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:6392
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5656
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5412
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6584
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:3488
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:492
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:6100
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6468
      - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        7⤵
        Drops file in Program Files directory
        
        PID:4916
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        6⤵
        
        PID:7348
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        6⤵
        
        PID:7524
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        6⤵
        
        PID:7480
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        6⤵
        
        PID:8016
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        6⤵
        Sets file to hidden
        
        PID:7888
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        6⤵
        
        PID:7724
      - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        6⤵
        
        PID:7576
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:6432
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        5⤵
        Kills process with taskkill
        
        PID:6548
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
      4⤵
      PID:4968
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1504
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      Views/modifies file attributes
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4328
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:4448
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:5132
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5216
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\notification_helper.zrz"
      4⤵
      PID:5524
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedge_pwa_launcher.zrz"
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\pwahelper.zrz"
      4⤵
      Views/modifies file attributes
      PID:5572
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.zrz"
      4⤵
      PID:5628
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.zrz"
      4⤵
      Views/modifies file attributes
      PID:5676
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.zrz"
      4⤵
      Sets file to hidden
      PID:5704
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\BHO\ie_to_edge_stub.zrz"
      4⤵
      Sets file to hidden
      PID:5740
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:6132
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5156
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:1468
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:408
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:240
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:5980
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:3812
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:4616
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6316
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5764
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:3396
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5496
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        5⤵
        
        PID:5184
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        5⤵
        
        PID:5844
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        
        PID:6132
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        Sets file to hidden
        
        PID:6448
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5756
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:4528
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6432
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        
        PID:5812
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:5836
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:3396
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        5⤵
        
        PID:6948
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        5⤵
        
        PID:6640
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:7088
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:3852
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5840
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:2768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6176
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5440
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6284
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:6364
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        6⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:6676
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:5272
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7004
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        5⤵
        Kills process with taskkill
        
        PID:5680
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4328
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Installer\setup.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5960
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4596
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1224
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
      4⤵
      Kills process with taskkill
      PID:1116
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.zrz"
    3⤵
    - Views/modifies file attributes
    PID:2192
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    PID:2944
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
    3⤵
    - Kills process with taskkill
    PID:4316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "1.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.zrz"
  2⤵
  PID:4608
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.zrz"
  2⤵
  - Sets file to hidden
  - Drops file in Program Files directory
  PID:3776
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.zrz"
  2⤵
  PID:2372
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.zrz"
  2⤵
  PID:1804
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.zrz"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2008
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.zrz"
  2⤵
  PID:4088
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.zrz"
  2⤵
  - Views/modifies file attributes
  PID:2704
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.zrz"
  2⤵
  PID:4052
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.zrz"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.zrz"
  2⤵
  - Sets file to hidden
  PID:3556
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.zrz"
  2⤵
  PID:4292
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.zrz"
  2⤵
  PID:4724
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.zrz"
  2⤵
  PID:2932
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.zrz"
  2⤵
  PID:1544
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
  2⤵
  PID:1376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2372
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo --===Kuzja Report===-- > "C:\system.log"
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:5036
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /all >> "C:\system.log"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo \\\/// >> "C:\system.log"
    3⤵
    PID:1760
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      PID:5340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:3828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:5896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5808
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5812
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:5912
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:4008
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6924
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:4664
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5524
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        5⤵
        
        PID:6980
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        5⤵
        
        PID:6392
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:6896
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        
        PID:5988
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        Sets file to hidden
        
        PID:2832
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5172
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:5912
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:7272
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7392
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:7504
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:7732
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:7940
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        5⤵
        
        PID:7588
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
      4⤵
      PID:6668
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
      4⤵
      Sets file to hidden
      PID:6832
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      Sets file to hidden
      PID:6928
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
      4⤵
      PID:7036
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:7156
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:6208
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
      4⤵
      PID:7124
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
      4⤵
      Sets file to hidden
      PID:5204
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
      4⤵
      Views/modifies file attributes
      PID:3464
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
      4⤵
      Views/modifies file attributes
      PID:3872
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
      4⤵
      PID:5060
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
      4⤵
      Views/modifies file attributes
      PID:6868
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
      4⤵
      PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5148
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:32
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        Drops file in Program Files directory
        
        PID:5208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3640
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:6752
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:6260
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:5524
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5448
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1508
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
      4⤵
      PID:5768
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5500
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
      4⤵
      Kills process with taskkill
      PID:6176
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
    3⤵
    - Sets file to hidden
    PID:1708
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4316
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3860
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3812
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
    3⤵
    - Views/modifies file attributes
    PID:4216
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.zrz"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\cookie_exporter.zrz"
    3⤵
    - Views/modifies file attributes
    PID:3164
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Installer\setup.zrz"
    3⤵
    - Sets file to hidden
    PID:4292
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\elevation_service.zrz"
    3⤵
    PID:748
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedge.zrz"
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.zrz"
    3⤵
    - Sets file to hidden
    PID:5208
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedgewebview2.zrz"
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\attrib.exe
    "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\msedge_proxy.zrz"
    3⤵
    PID:5440
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:5480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo --===Kuzja Report===-- > "C:\system.log"
      4⤵
      PID:5764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:5636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:32
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /all >> "C:\system.log"
      4⤵
      PID:6000
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo \\\/// >> "C:\system.log"
      4⤵
      PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:5432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5748
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5572
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:6300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:6404
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:6956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:5696
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:6244
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        
        PID:5936
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:5736
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        6⤵
        
        PID:3852
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
        5⤵
        Sets file to hidden
        
        PID:5224
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:1228
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
        5⤵
        Sets file to hidden
        
        PID:6764
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5272
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6928
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5980
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5064
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5908
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
        5⤵
        Views/modifies file attributes
        
        PID:5180
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wab.zrz"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5328
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Mail\wabmig.zrz"
        5⤵
        
        PID:6792
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\setup_wm.zrz"
        5⤵
        
        PID:6828
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmlaunch.zrz"
        5⤵
        
        PID:6096
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpconfig.zrz"
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        
        PID:5704
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:772
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmplayer.zrz"
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmprph.zrz"
        5⤵
        
        PID:6636
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3472
    - - C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7144
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5680
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Windows Media Player\wmpshare.zrz"
        5⤵
        
        PID:6736
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6900
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.zrz"
      4⤵
      PID:3228
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.zrz"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4544
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ExtExport.zrz"
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ieinstal.zrz"
      4⤵
      Views/modifies file attributes
      PID:5768
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.zrz"
      4⤵
      Sets file to hidden
      PID:5100
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\ielowutil.zrz"
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Internet Explorer\iexplore.zrz"
      4⤵
      PID:6048
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.zrz"
      4⤵
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.zrz"
      4⤵
      Sets file to hidden
      PID:5800
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.zrz"
      4⤵
      PID:2332
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\BHO\ie_to_edge_stub.zrz"
      4⤵
      Views/modifies file attributes
      PID:4352
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\elevation_service.zrz"
      4⤵
      Sets file to hidden
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedge_proxy.zrz"
      4⤵
      PID:5208
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe" 0
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo --===Kuzja Report===-- > "C:\system.log"
        5⤵
        
        PID:6196
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3116
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5644
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5548
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ipconfig /all >> "C:\system.log"
        5⤵
        
        PID:5240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo \\\/// >> "C:\system.log"
        5⤵
        
        PID:5800
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Drops file in Program Files directory
        
        PID:4720
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.zrz"
      4⤵
      PID:5772
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\pwahelper.zrz"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6272
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6384
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6112
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
    3⤵
    - Kills process with taskkill
    PID:4124
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im resmon.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im "1.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Program Files directory
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.0.1211042096\1831060063" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1804 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6df353b4-e537-4e3a-9537-127afa568c57} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 1904 1e4453ddb58 gpu
    3⤵
    PID:5556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.1.2093610794\2130738897" -parentBuildID 20221007134813 -prefsHandle 2260 -prefMapHandle 2256 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce7c769-1782-4967-acae-05a57073c7e4} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 2280 1e4393e4658 socket
    3⤵
    PID:7748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.2.1265068495\968768546" -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 2816 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ef63de9-ca48-477e-a64a-3645757026c8} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 3100 1e44535cd58 tab
    3⤵
    PID:7848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.3.396914717\1541057915" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3520 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a21d853-8729-448c-b443-96490d1eeff6} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 3640 1e43935ca58 tab
    3⤵
    PID:6152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.4.1451409312\2077293409" -childID 3 -isForBrowser -prefsHandle 4512 -prefMapHandle 4504 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ff23585-5251-4744-aab9-577a42af166c} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 4508 1e44c2db158 tab
    3⤵
    PID:6492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.7.522902687\21896760" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce8163ea-9f87-4c75-884d-1e4ab2c0329f} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 5408 1e44cb60658 tab
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.6.1029300675\946768719" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {814ec084-0526-46b4-859b-e58881457169} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 5216 1e44cb5fd58 tab
    3⤵
    PID:6388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6280.5.982262347\1229253029" -childID 4 -isForBrowser -prefsHandle 5024 -prefMapHandle 5052 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a8e47b-58ff-4379-9456-01d7a7752a8e} 6280 "\\.\pipe\gecko-crash-server-pipe.6280" 5020 1e44cb61858 tab
    3⤵
    PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
32KB

MD5
a28578a343cc18414ae96edc47ff09d5

SHA1
9792c7fd8c4c41be63d1f4bad742a57c48ed0dfb

SHA256
e9f8eaa5d20ba8d588ca0e05246d9bd6a4ab04f1d198e613ce5f512e55e8d782

SHA512
79bf3d184ddbd5489d80edb8973af3eb5c3383997becdb6f98fc858785108ec8d6a50ca3f0bebb8f0119bd8505405a6f60c313cce0b2cf2d7716f72bed4e4d18

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dqzncde8.default-release\cache2\entries\B573808F9B4F64D3E5F0B069BDAA48EF4086E712

Filesize
13KB

MD5
9622d8ee577fd4fdd59c47a0b1f4e308

SHA1
2bc4ecc67e8c9e6592c82131b0576390595a268c

SHA256
e95d37b513618cd7c77756a436f9e912ebe7e6b055699456f6d74b1b8ac0c213

SHA512
f2b5c08e26cdec0566dc80dfe83f876216b2858a105a446e16ef58556b257b01749737970436747fd26a531698cd4f3e0d0eb2b1eac7413b69f98e9fb30e7c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
2.2MB

MD5
71e79214a0574c2b5b38af5d907c7c10

SHA1
31520212a2b6f3dfa9b417f8ca2f9d6d839f54cb

SHA256
04e96868c3538e68f392ba82cdb45403c5c820f7ac12883d3c46a9348718fc0a

SHA512
ae0cdeaa8cf96ab90b1bf556f4b7e55b6eabcf87bdb9546409b65c9575b983c9544a64fe7448347ff31c5ee52e58ea2a0428f2ab042f88a53e2c30880a3d14de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
dd42b5b97e3993d3e87db498615e7095

SHA1
1f34c5ca594134c9d48175acc93119307a3b7fd5

SHA256
2b51ce64d4d7956e8e5aeb0cfe532886186262bb4cd1b79cb4fb61052fa9a220

SHA512
161aef097e728bfdd06c166a4b9abe3c24fe6cc1d4669495b4dfb7274b0891a094a881af0c76da9fead4a8e0ece2e64526d568e681c53211b86a9d30106181d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\bookmarkbackups\bookmarks-2024-01-03_11_zumuf5BEecglHtr+JgNPRg==.jsonlz4

Filesize
941B

MD5
a15899d0f3d98d49a19b5c537e680c6f

SHA1
824710cff0de63d9c0b6e64c39087cb8fc0db682

SHA256
003efcfc372a27f8a19308a4bcb002fad394da8df2eaa60138c6d7325eaf3bfe

SHA512
555b9dcb71b7b69ec0a89dfb2a67e9a2b7b271c9d8594ed4c4eedf9721464a9cd123e3706a2081b80b656dde6183680a459c1232729e22e8067d3b99478c4165

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\broadcast-listeners.json

Filesize
216B

MD5
dc99ab71f218f15c8ab970897d01143e

SHA1
4f419041f040ac005435aa9a612b98cf0bb0c2f9

SHA256
e19004ee6f366e2b9b513b1bd531fcadce33a26fe9cfc6043e0acbae23d8e612

SHA512
aee6fee0bdc98d0d8b7d39c04ea4570cbdeb5cea496264def88b49e413507604bc8e28fe2e64e272c50f34bbf11be34354fc71f1c030e55386c295e0d5e14217

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
cf537e459893db0532bb08e4f4ae4ade

SHA1
605d0d0b3003c40dd29144e4a91706f63ea2a32c

SHA256
3aa08cdba3e12567176119ddbd33f27f8cc667e604d1b07c3fadc31bd144cf73

SHA512
efbfae80873d81a7b4ea8b4890e2376b4e1b0a349bdf23d3db1224a1367c9869144dfd13b810eabc16e9ecfe887bf7a901b973e2b282397db4e399437c343641

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\datareporting\glean\pending_pings\4cae6c2d-5e6c-4a0b-a6fe-2a034f174071

Filesize
746B

MD5
33e04c3a8c8b829852893fab58e44ee3

SHA1
0778f786756137d64f90e8ccf991ac3ee3dca70c

SHA256
a2ca2d022c4d8f9307b461859bee644503c0e52d6f6859146b54f219e17cc451

SHA512
7eee065f4c8be28b0a4171e72c34b2da4fd6f456905fa1d9de6626c1a4a71d9ef0b683494963b2360054b9da89d35ce1c2da65ed09d6220d346be1f85fc9d1c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\datareporting\glean\pending_pings\beca68eb-6805-4605-ad88-0a2b9d6bf74b

Filesize
10KB

MD5
593ac8d8c6c2c0514041c70e602ffa13

SHA1
ff2695a4b2d3a5662f8d02d729f39abe8740a6a3

SHA256
c899fd542d68294ae8c2153f0a6a601469b7e467c71c3ee4e47fa410fcedb663

SHA512
a9844c20d968351407ff09b730e292b61f01c382f62ba0c7247fd4dd4772d3d41699092ae1ab717a602adb5d64b1a53fac6c19bb973f5bf91346d620f074662b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
1.7MB

MD5
9608caed6982c8c2e70802317c5e99f6

SHA1
506fe97589b0e09e0f2d20ed4e666687a32ea805

SHA256
5fa12834228670246285ead4166290d55f574bf4d302a94de838331aca6045d7

SHA512
32d840f4698ca679383547e83396184f8f06267368e9c437202fcddf7798edff3329d040ec12e303f01634893face96e0beba899b800337037eb530937a145a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\prefs-1.js

Filesize
9KB

MD5
e7c101e7fd9a95fac8398ea994d0d5f7

SHA1
5c1af5e989cd006728c486997d9db1caadc37874

SHA256
4b2423d05200f6aa6bbf5a0510cf20848a8a6e59b85c53a90b96798978213f65

SHA512
29aced024ce07d7935ec0f119643ec63c86e9933efee7bbfce7c5751dde05af1a12d05c38cc0a0cac0d046e048848d9ffc4eeb8b659112a95e5e810be8c9954c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\prefs-1.js

Filesize
10KB

MD5
ec3c5b7feb40280b0ec0cccee535a043

SHA1
957e6d7041b75f57a8152527c9bf280ce8256745

SHA256
d2b78a8236a9433e5092b7536f2c483debbd3131713803ecbee768f8d17213bf

SHA512
9a9abb62ddfec760ecb31c7570e72a1554fa1c4216d7b69606b00abc33e7c1b74424aef22491f5d581459747eca88d7b6e9a3b6a19a16d146a4092e5d2fce680

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\prefs-1.js

Filesize
6KB

MD5
2474730539b742b95aa0966e603f443e

SHA1
615ead5f49160f1a398fb2a82e5f4dea793ff55a

SHA256
7bccf2d0c93f29bb36bdf1d2ff228dac25d76812ebd265591ae7dc5958278f3d

SHA512
a334aa23b328898056b2bcc42f2a31ef6bf185ea135a1649c86e1663c0e2e157d02c25f2330b11897eecac73e2f425b6cce5ee5aece28835b0fa4b9243f8c137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\prefs-1.js

Filesize
6KB

MD5
755bf684707c3059a323ab0e2f5fc647

SHA1
05d2b8f9c4a337a09f1585d2dc9b8c940632cea2

SHA256
f4f05ccf504b72c686edf44562e9837fc03254ff93744cbb85b600cf3ed7fb9f

SHA512
f543c6bca194c402eb885f34f4de15422f7d542772dd7f70d831461ec893bac4a7109b6f35c92deadf2e7badc76a40e5605309418ac91bf525283e466c7057ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
24f43284620b0221238b9af1b4e577f0

SHA1
80a5a2251f3a32e92a2f62d3ed4295df1332f49b

SHA256
5db370acd3b5897e0be25c3cd0962f4017ffaffd770b14dab7ed26e9caa3b4b3

SHA512
971c7e25326abf4af708ee12d7f47b806d0608547563f39290d2b8e83519338105a34d173710319a4863e26109fbb125a834a47423563e4121afe27238f95346

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dqzncde8.default-release\targeting.snapshot.json

Filesize
3KB

MD5
dc6c77257a2e9ef8721596b462eacfe0

SHA1
8724505d2ba05ee1291af0024cd934c9ec0b6c1c

SHA256
0b29813e2ae30adb9e7d4569f914769b8b67b1a15f09018392b2cd299eb26172

SHA512
e394a48ff1b134e1b8c139e49ba3fc7ab4e5e22f92927fcce97b086b1fb70eaa1ebad5e761c3e69c9fe42bedad5b91172c814fffcc43399548e901ad22a70ae3

Download Submit
C:\system.log

Filesize
1KB

MD5
3476feafbfa372a2e6e49283731f2349

SHA1
ac22b32ea5c6bdd033095777cb97f2385690fb9a

SHA256
fa39ac1455fef87537f802ff712d0d1c2d723df1e1c6e31b60afc9289bc01dec

SHA512
6a581e582ed9aff0b677a944bd5a88438ea97a23d16114d2105548c79fa2538cdbc6385f342e6ddbe58e4c301334fe756ae5eab8a0f637aff0a47624166dad1b

Download Submit
C:\system.log

Filesize
70B

MD5
a16120de5ed668c40899be2038759357

SHA1
5617ab44ff30c8f962387abb56469ca024fa2115

SHA256
f094df98b39483773d803f1ec87583329a7fab21d7dd8d47b06e984f28cb4c4e

SHA512
adf9776d08e736219d5b5e2049e97dad643614ca316883e0fa4922209d47b3ebc9d0fe36cc05f8eb30c515b3a1a442b30222c8b99772f457c721b64f4ede1731

Download Submit
C:\system.log

Filesize
1KB

MD5
7fa3ba71060846c309e46001b79736a5

SHA1
db058d6ca1b04cb052a58886dac811fe01e69f76

SHA256
007f5fd0dc44cfb9667240574102d0e77851208b01ab10f11c9cb2194525bd6e

SHA512
0a642d61639d985f252630cdb895493a19ecf470fe007fa94f32461c9d56c64eb1bf315b52c0cdab9addc505cfef3640c98b1558b32339c8f4a46ee20d1aa292

Download Submit
C:\system.log

Filesize
25B

MD5
eba81de3310ef96a5f9324d38e1db4e3

SHA1
a60a2601a01ee6b72c792c8e8fe07c7698a6cf7d

SHA256
deb53e56badfa2c969aadfdb8b53f76e422f8a989191dbd3d90187a90afbe953

SHA512
e651a3223ccac9a7ef960fe35e22222c03aa0e0ed8bfff29d3866961ae2ef66fb706a35ec32c0e1e68b746946d110ba778b139344bf0a7532abc47bb6a4bee9a

Download Submit
C:\system.log

Filesize
34B

MD5
b70a87553ecc9bfc6fb913cdd27f119d

SHA1
57ccf4d5f48c5ed13085ad00d419028d901c1ea4

SHA256
394b37acaf41ae63cfc829291ae6b48909210c21f4f271c84e831afc894018f6

SHA512
92eddbcc02baf5adb0011b88e2e31f94d58f5055abf8e6adf512e008b99cad1c4f1a306901a0cdc2bfa944fc33f36110ac07e01e165915713a16e7a671cfe4f9

Download Submit
C:\system.log

Filesize
43B

MD5
57127ac0be9bfcd1ea5735989ea7cd1c

SHA1
e4e79fafe540c7839ad8e575b83817869193e7b1

SHA256
2c1e54fa62f626b5278722adfd5811073f67c776992716d98c073a990104fc26

SHA512
f922a206ff162cb3978ae94b8f082fcd6288783a8b8fa37a2ee713d02008bccb76810dd3063f38e0dd450293ff28863404d362fbcfbb229e1271e7c303bb6220

Download Submit
C:\system.log

Filesize
52B

MD5
2e4bb0cbe5a62a8b15d9fd4f80250c4f

SHA1
27ee76c6b1760b74595da3e27ecc5acce434b5c7

SHA256
74fadd54de220b3e790ddd85c20139f310a7d7c342c514da3546af689414b516

SHA512
b33199cd03c20a9bff1770dcee5ec0c3ca26da3cc1de5be4d75250a359c74603ffc8969b1bf21d9de09dda52e29a4707165c5307581a0fa4402504a61daaedbe

Download Submit
C:\system.log

Filesize
1KB

MD5
f37a12c40de338cc0b99e5cdcd5254c7

SHA1
a8325aa3b7b2e335c975d2a8b93ab88312eabd84

SHA256
7339bb8eec35bd463f24389b0e3e0af968a52b77222cce372058062d19b3e8c6

SHA512
7ce91c5755ea316df0e4217fe9f4926e743e9c68477ae8f2a42163debb6d7bdc225fe84b912aae811d8545bca3ea86a6e3acd90c40b07fad8cafcb27406b4fb4

Download Submit
C:\system.log

Filesize
1KB

MD5
1c75243cc5a84f0f06d51e33d40b600d

SHA1
e9b1d0281a6f23457eab6434e87e4bb5bda42f0f

SHA256
cd342440fc02f586e43a20c133d4f87c5b01326ccaf7ae2505d4d984acf8f2e2

SHA512
84f8c7b3cdf810cb505a8001fa1727a0b5fa840d103ecbe0205cc20e4ae37cc6739552c2060378d72ccda158dc34b41890e9ca7350b781a678619f6d6746f47b

Download Submit
C:\system.log

Filesize
1KB

MD5
cecf185253ad48319a3c5b3e8f8b6066

SHA1
5764eb1399ef0639b9a44fa4fa7b0deab781b338

SHA256
01c77881b0eba99abb947e11085d94226e0bf15a9130239363efae972443cd54

SHA512
41d54a8ab1a001895a23fc3064a194a446c33d9e2f68a0fd20300c96c29743d90567cd6b5e7ee828200b9dfbbb978553e664c39c159bb7550e7488e9f2aa8937

Download Submit
C:\system.log

Filesize
61B

MD5
8070b69eec39e2dbea0f1ceca52779af

SHA1
e2dd1e42c991640b6b50ffa9e220afc6e8c8bfdb

SHA256
3696794c8aa3dd280cddd04321bbc98a8efdda93f3e64a1f9b1a10d1bea11b79

SHA512
7d64f4e78017975a683834f4e72937a03b4932f8050ca082b13fc5ca66700b1bb6217938227e0654ea6ee5382903c2fc095a9f89c577d754f8244397f7020479

Download Submit
C:\system.log

Filesize
1KB

MD5
54065a75cbeff7699a7b52a16159595d

SHA1
4815d5b0a255bb0f227c96da87cbeea77990d7ae

SHA256
d75f9a9ff4f14f6bb9be7df88657c8c7bde0cbf5da4e3481006169a2e840d78c

SHA512
375beefd8288f5ea678191760d6fb9c530803c47c632effbc0bd07dd1777cd7dc4421643df254cd5535377eca216ec0975cf9a19fd1b93e06ede280a7402bbe1

Download Submit
C:\system.log

Filesize
1KB

MD5
854ccddb38db68e69d0e368508d5f6db

SHA1
1b429a0d1f5d3822be31cc7a4d9a9cd801ae2307

SHA256
01188364032ccbf1c58cfb7706fa71223de6ac5c05e17ea13f6e496da3e65eec

SHA512
f6ee4f6f9531da430d32ee9d5f2d92b0b1136a8a960e3dd65e2b68a34da61eea55c4fdb46243be5fd9bf3d4dbaaf4a0b2a3286384ffefb661cadf866ed9c8ea7

Download Submit
C:\system.log

Filesize
1KB

MD5
16d243731f598dc76145a880a2760fbf

SHA1
78ba28405917211cac6853c792e12124804b8196

SHA256
8501b0852dcdff6762a83928984754029cb862c9105e16d009712d1692d70240

SHA512
1b432a578ebe288ca28e4a53bab0c7c0f536c609cee1ce48bfc1a0b8fd99c5629ad0c01cc8799b2fa45c5afcdf47cc7e5377191efabc02c64739a4823e2b62b0

Download Submit
C:\system.log

Filesize
1KB

MD5
6cc904483f076f867322463e73be3f37

SHA1
34919594a7284c5cf37b16324eaedb126535ced5

SHA256
e45cbdb4010dcdfcd5a73a79a570c273fe3650bb9e625b0a1ad12a3013311e91

SHA512
72ea1d6ab33c37ae28fff85afc76aa5dc46c25fd6ccd826a74782b3eb4c72e4f22ca865dcebcd843aa6a4dcd691ea4c1b615503b0846707d7d17416798cb93a8

Download Submit
\??\c:\system.log

Filesize
2KB

MD5
4a8ee8367fb6d324131b022d8068e0fd

SHA1
f44f7c18a870de3ff60b9cb5a244a0e195b09d14

SHA256
3a9e447ec54a1b2b03a6f86a75d05b5004d116647b96892cae5671bb74350f12

SHA512
a665af8da80a85da2c1544238fe7cf23552298e553dcd17a9d94fd9d7178e3068fcd8a4ccaa657b0209266516f5c5ca3ae18e2338e57756600171884f35ef32c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads