cb033cda58e85a4b8d6a4f58b27f75bdbd5d68ba4aa9b8736130468f1e8c0885

Analysis

max time kernel
0s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0391980aa743c3fa10dd4aecb4cc8cc0.exe
Size

28KB
MD5

0391980aa743c3fa10dd4aecb4cc8cc0
SHA1

99fdfe068911bc4af078289865eb15936e6cae82
SHA256

cb033cda58e85a4b8d6a4f58b27f75bdbd5d68ba4aa9b8736130468f1e8c0885
SHA512

5dc213f346993d4621049a61dea96b3655edc7d0b46ee088c5d3bed7fe36675e0231bb7cb94e79d87d192bde4cbb6de19acc332e8d6f040e3dd3cf8782c93b7c
SSDEEP

384:jnjTJcXKzl4uZ2d5nzdLe2cmR51SUcEOftP56IuBKyZA8rG6dYRRTTF:71ObkmR51SUcEOKI4S8rG6+RRTTF

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 62 IoCs

evasion

Windows Service

T1543.003

pid	Process
3340	netsh.exe
4332	netsh.exe
4692	netsh.exe
3632	netsh.exe
3948	netsh.exe
3220	netsh.exe
4796	netsh.exe
3112	netsh.exe
4588	netsh.exe
4748	netsh.exe
3344	netsh.exe
3320	netsh.exe
4332	netsh.exe
2848	netsh.exe
4944	netsh.exe
3892	netsh.exe
3740	netsh.exe
792	netsh.exe
3200	netsh.exe
4780	netsh.exe
4996	netsh.exe
3320	netsh.exe
1788	netsh.exe
3656	netsh.exe
3112	netsh.exe
4592	netsh.exe
4500	netsh.exe
3088	netsh.exe
1448	netsh.exe
392	netsh.exe
3536	netsh.exe
4224	netsh.exe
4688	netsh.exe
1204	netsh.exe
4296	netsh.exe
3956	netsh.exe
4308	netsh.exe
812	netsh.exe
4552	netsh.exe
3868	netsh.exe
3588	netsh.exe
4528	netsh.exe
2760	netsh.exe
1328	netsh.exe
3788	netsh.exe
4896	netsh.exe
4548	netsh.exe
3304	netsh.exe
4472	netsh.exe
5028	netsh.exe
4236	netsh.exe
4076	netsh.exe
4516	netsh.exe
2088	netsh.exe
4780	netsh.exe
852	netsh.exe
3760	netsh.exe
3628	netsh.exe
3980	netsh.exe
4780	netsh.exe
3736	netsh.exe
2348	netsh.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dll32.exe	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\dll32.exe	Conhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 3132	4236	reg.exe	227
PID 4236 wrote to memory of 3132	4236	reg.exe	227
PID 4236 wrote to memory of 3132	4236	reg.exe	227
PID 3132 wrote to memory of 2780	3132	Conhost.exe	19
PID 3132 wrote to memory of 2780	3132	Conhost.exe	19
PID 3132 wrote to memory of 2780	3132	Conhost.exe	19

C:\Users\Admin\AppData\Local\Temp\0391980aa743c3fa10dd4aecb4cc8cc0.exe
"C:\Users\Admin\AppData\Local\Temp\0391980aa743c3fa10dd4aecb4cc8cc0.exe"
1⤵
PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\dll32.bat
  2⤵
  PID:3132
- - C:\Windows\SysWOW64\netsh.exe
    netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 80 dll32 ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3320
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 7171 dll32 ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:3220
- - C:\Windows\SysWOW64\netsh.exe
    netsh winhttp set proxy proxy-server="http=localhost:7171"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\dll32.exe
    C:\Windows\System32\dll32.exe
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\dll32.bat
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1788
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:392
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        5⤵
        
        PID:844
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        5⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        5⤵
        
        PID:3840
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        5⤵
        
        PID:3628
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        5⤵
        
        PID:4804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
    3⤵
    PID:4048

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:736

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:3664
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4588
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4548
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:3040
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4472
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:216
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4416
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:3660
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:3108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3956
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3340
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:2456
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:1400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\dll32.bat
        5⤵
        
        PID:2484
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        6⤵
        
        PID:4588
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:4308
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3320
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        6⤵
        
        PID:4592
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:4068
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:3656
      - C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        6⤵
        
        PID:1732
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:3220
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:2088
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:852
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:1776
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:2736
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1376
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4796

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:4824
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:792
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4780
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:3264
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:3120
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:1204
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4500
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:4280
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:756
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:1788
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:3748
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3340
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:4528
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:1340
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4408

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:1720
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:1204
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3980
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:3452
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:748
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:3180
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:3388
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:940
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3824
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:952
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:4316
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4796
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2088
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4236
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4004
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:2924
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:4336
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:3536
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:4748
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:1136
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:2796
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4296
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3200
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:3660
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4812
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:2380
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:4840
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:656
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:4144
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:1180
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:3968
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3536
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4528
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:3340
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:1204
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:5072
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:4596
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:3632
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3344
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3628
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:4536
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:3264
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:3980
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:3040
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\dll32.bat
        5⤵
        
        PID:3660
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        6⤵
        
        PID:4336
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3304
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3112
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        6⤵
        
        PID:1072
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:3296
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:2000
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:4224
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:5072
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:1096
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:1536
      - C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        6⤵
        
        PID:2444
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3588
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:852
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:4212
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:5104
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4236
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:2088
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4984
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:2484
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3352
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\netsh.exe
netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
1⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:1776
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:2280
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:812
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3892
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:5092
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:3656
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4004
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4352
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:4144
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4780
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:3264
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:4792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\dll32.bat
        5⤵
        
        PID:1376
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        6⤵
        
        PID:4856
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:852
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:4236
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        6⤵
        
        PID:4056
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:4352
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:2240
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:5016
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:3352
      - C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        6⤵
        
        PID:3136
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:4224
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:1072
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:5104
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:4056
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:4332
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:4724
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4076
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4692
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:4552
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4896
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3516
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3216
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:3892
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:4944
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:4284
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:4692
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4552
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3736
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:5044
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:760
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:2256
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:4204
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1452
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:2620
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:1324
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3088
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4780
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:4076
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:3612
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:4400
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:4740
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:4572
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:812
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:4028
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3656
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3632
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:4348
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:4516
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:224
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\dll32.bat
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        6⤵
        
        PID:4544
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2848
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1328
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        6⤵
        
        PID:1180
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:2796
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:4228
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:2092
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:3312
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:2368
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:2036
      - C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        6⤵
        
        PID:548
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:4028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\dll32.bat
        5⤵
        
        PID:4056
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
        6⤵
        
        PID:2240
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:2760
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 dll32 ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3112
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        6⤵
        
        PID:4284
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:2784
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:1204
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        6⤵
        
        PID:2456
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:5000
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\dll32.exe
        
        C:\Windows\System32\dll32.exe
        6⤵
        
        PID:4872
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:4080
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:3640
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:368
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:1072
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:3452
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3764
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:3932
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:4852
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:3480
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4996
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:1448
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:4336
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4920
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:3632
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3304
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1140
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:3036
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4348
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:3500
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4224
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4516
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:3288
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:2660
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:3104
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4688
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3760
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:1180
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:760
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:1164
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:4228
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3868
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:5028
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:216
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:3320
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:2092
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4136
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:4928
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:1156
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:1256
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4472
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:4592
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:4536
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:1552
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4792
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:3008
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1680
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:4692
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:2128
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dll32.bat
1⤵
PID:1032
- C:\Windows\SysWOW64\netsh.exe
  netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
  2⤵
  PID:1072
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 80 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:3788
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add portopening TCP 7171 dll32 ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2348
- C:\Windows\SysWOW64\netsh.exe
  netsh winhttp set proxy proxy-server="http=localhost:7171"
  2⤵
  PID:1204
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:4780
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
  2⤵
  PID:5000
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:4588
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
  2⤵
  PID:1336
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:924
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
  2⤵
  PID:1200
- C:\Windows\SysWOW64\dll32.exe
  C:\Windows\System32\dll32.exe
  2⤵
  PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\dll32.bat
    3⤵
    PID:4288
  - - C:\Windows\SysWOW64\netsh.exe
      netsh add allowedprogram "dll32" C:\Windows\System32\dll32.exe ENABLE
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 80 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4896
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 7171 dll32 ENABLE
      4⤵
      Modifies Windows Firewall
      PID:3948
  - - C:\Windows\SysWOW64\netsh.exe
      netsh winhttp set proxy proxy-server="http=localhost:7171"
      4⤵
      PID:4636
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\dll32.exe
      C:\Windows\System32\dll32.exe
      4⤵
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dll32.exe

Filesize
28KB

MD5
0391980aa743c3fa10dd4aecb4cc8cc0

SHA1
99fdfe068911bc4af078289865eb15936e6cae82

SHA256
cb033cda58e85a4b8d6a4f58b27f75bdbd5d68ba4aa9b8736130468f1e8c0885

SHA512
5dc213f346993d4621049a61dea96b3655edc7d0b46ee088c5d3bed7fe36675e0231bb7cb94e79d87d192bde4cbb6de19acc332e8d6f040e3dd3cf8782c93b7c

Download Submit
\??\c:\dll32.bat

Filesize
1KB

MD5
5fbc138c19c7cbe5bbfc1563b33d33ee

SHA1
972bfa725599b9a042c93505c604f8d14648158e

SHA256
376742be903dbbbfebc09de016d3c5a3a741ebf5088250f895da03315d8bdd7b

SHA512
17de8b53c746cfedca71eb9a5fdbf601ce1429ae36fb5d32f0f0f4718a2de3405b733a9db85e8c52a00ce19daec38ce1c6e36e6e0c771d39c2ac59e9b2417d8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads