blackmoon | 651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Size

11.8MB
MD5

381b8a02c7c20bedde20f97933a4a2e6
SHA1

2bb6e6116cef9905a2ce8f2dd0b535229a0122ae
SHA256

651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572
SHA512

fe7392e0c7632b8c26f96d509cde27d151382b41c74ed6ca5ac28c35e51ab467620edc4bc729dd283b26baf2a3754c07e40b31e260efab5c201ee17b8e1387a1
SSDEEP

196608:9IJ6eA5cPmiRqfk0ScX/eBDv+cRc7A4Yn7WILy+aEkcGXe6bqmOIhJZEFIxgabSR:9f1xAcX/Or/M07neRJXe6basrSsgabI

Score

10^/10

blackmoon banker bootkit evasion persistence ransomware trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon
behavioral1/memory/1752-330-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
1804	1.exe
1620	3.exe
2220	2.exe

Loads dropped DLL 9 IoCs

pid	Process
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
1248	msiexec.exe
1248	msiexec.exe
352	MsiExec.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1800-12-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-26-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-25-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-23-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-18-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-15-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-24-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-27-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-171-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-172-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1800-272-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/files/0x000a000000015cf5-324.dat	upx
behavioral1/memory/1620-337-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1800-336-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral1/memory/1620-537-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-582-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-661-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-807-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-953-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-1075-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-1220-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-1367-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-1492-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-1641-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-1781-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-1906-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral1/memory/1620-2049-0x0000000000400000-0x00000000004E1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "1.bmp"	3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\END_RE~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF	cmd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGSES~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\LICENS~1.HTM	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	cmd.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SUBMIS~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSIG~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE78D9~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\IDENTI~1	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\OPEN_O~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~4.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\STANDA~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ADD_RE~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE1558~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPU~1.INI	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CCME_B~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DEFAUL~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ENDED_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEL~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SH~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.EXE	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	cmd.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	\??\c:\Windows\1.ico	3.exe
File opened for modification	C:\Windows\Installer\MSI67D7.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\1.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File opened for modification	\??\c:\Windows\3.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File created	C:\Windows\1.bmp	3.exe
File created	\??\c:\Windows\2.exe	3.exe
File created	\??\c:\Windows\1.bat	3.exe
File opened for modification	\??\c:\Windows\1.bat	3.exe
File created	C:\Windows\Installer\f7667ac.ipi	msiexec.exe
File created	\??\c:\Windows\1.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File created	\??\c:\Windows\3.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File opened for modification	C:\Windows\Installer\MSI6884.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C13.tmp	msiexec.exe
File opened for modification	\??\c:\Windows\2.exe	3.exe
File opened for modification	\??\c:\Windows\1.ico	3.exe
File opened for modification	C:\Windows\Installer\MSI6902.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A4A.tmp	msiexec.exe
File opened for modification	C:\Windows\1.bmp	3.exe
File created	C:\Windows\Installer\f7667a9.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f7667a9.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B09.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\TileWallpaper = "2"	3.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	ctfmon.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ctfmon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ctfmon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\Shell\Open	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\ = "gif"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "lnk"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\DefaultIcon	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\EditFlags = "2"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\png\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png\DefaultIcon	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb\ = "rmvb"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.png\ = "png"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\DefaultIcon	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ = "wma"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wav\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\Shell	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\EditFlags = "2"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wav\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wav\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\DefaultIcon	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "rar"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\ = "jpg"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\DefaultIcon	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wma\Shell\Open\Command	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\Shell\Open	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\png\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bat	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\ = "bmp"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\ = "mp4"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\EditFlags = "2"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\png\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\Shell	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "zip"	3.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1248	msiexec.exe
1248	msiexec.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Token: SeDebugPrivilege	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Token: SeDebugPrivilege	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeSecurityPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1800	ctfmon.exe
1800	ctfmon.exe
1800	ctfmon.exe
1800	ctfmon.exe
1804	1.exe
1804	1.exe
1620	3.exe
1620	3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1800	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	28
PID 1752 wrote to memory of 1804	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	30
PID 1752 wrote to memory of 1804	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	30
PID 1752 wrote to memory of 1804	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	30
PID 1752 wrote to memory of 1804	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	30
PID 1752 wrote to memory of 1620	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	31
PID 1752 wrote to memory of 1620	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	31
PID 1752 wrote to memory of 1620	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	31
PID 1752 wrote to memory of 1620	1752	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	31
PID 1620 wrote to memory of 2220	1620	3.exe	32
PID 1620 wrote to memory of 2220	1620	3.exe	32
PID 1620 wrote to memory of 2220	1620	3.exe	32
PID 1620 wrote to memory of 2220	1620	3.exe	32
PID 1620 wrote to memory of 3032	1620	3.exe	33
PID 1620 wrote to memory of 3032	1620	3.exe	33
PID 1620 wrote to memory of 3032	1620	3.exe	33
PID 1620 wrote to memory of 3032	1620	3.exe	33
PID 1620 wrote to memory of 2868	1620	3.exe	35
PID 1620 wrote to memory of 2868	1620	3.exe	35
PID 1620 wrote to memory of 2868	1620	3.exe	35
PID 1620 wrote to memory of 2868	1620	3.exe	35
PID 1620 wrote to memory of 2900	1620	3.exe	37
PID 1620 wrote to memory of 2900	1620	3.exe	37
PID 1620 wrote to memory of 2900	1620	3.exe	37
PID 1620 wrote to memory of 2900	1620	3.exe	37
PID 1620 wrote to memory of 1448	1620	3.exe	39
PID 1620 wrote to memory of 1448	1620	3.exe	39
PID 1620 wrote to memory of 1448	1620	3.exe	39
PID 1620 wrote to memory of 1448	1620	3.exe	39
PID 1620 wrote to memory of 1640	1620	3.exe	41
PID 1620 wrote to memory of 1640	1620	3.exe	41
PID 1620 wrote to memory of 1640	1620	3.exe	41
PID 1620 wrote to memory of 1640	1620	3.exe	41
PID 1620 wrote to memory of 1692	1620	3.exe	43
PID 1620 wrote to memory of 1692	1620	3.exe	43
PID 1620 wrote to memory of 1692	1620	3.exe	43
PID 1620 wrote to memory of 1692	1620	3.exe	43
PID 1620 wrote to memory of 2508	1620	3.exe	45
PID 1620 wrote to memory of 2508	1620	3.exe	45
PID 1620 wrote to memory of 2508	1620	3.exe	45
PID 1620 wrote to memory of 2508	1620	3.exe	45
PID 1620 wrote to memory of 2276	1620	3.exe	49
PID 1620 wrote to memory of 2276	1620	3.exe	49
PID 1620 wrote to memory of 2276	1620	3.exe	49
PID 1620 wrote to memory of 2276	1620	3.exe	49
PID 1248 wrote to memory of 2308	1248	msiexec.exe	51
PID 1248 wrote to memory of 2308	1248	msiexec.exe	51
PID 1248 wrote to memory of 2308	1248	msiexec.exe	51
PID 1248 wrote to memory of 2308	1248	msiexec.exe	51
PID 1248 wrote to memory of 2308	1248	msiexec.exe	51
PID 1248 wrote to memory of 2308	1248	msiexec.exe	51
PID 1248 wrote to memory of 2308	1248	msiexec.exe	51
PID 1620 wrote to memory of 1008	1620	3.exe	52
PID 1620 wrote to memory of 1008	1620	3.exe	52
PID 1620 wrote to memory of 1008	1620	3.exe	52
PID 1620 wrote to memory of 1008	1620	3.exe	52
PID 1620 wrote to memory of 1040	1620	3.exe	54

C:\Users\Admin\AppData\Local\Temp\651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
"C:\Users\Admin\AppData\Local\Temp\651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1800
- C:\Windows\1.exe
  "C:\Windows\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Windows\3.exe
  "C:\Windows\3.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\2.exe
    "C:\Windows\2.exe"
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Windows\1.bat"
    3⤵
    - Drops file in Program Files directory
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:492
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:576
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5580
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6120
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5140
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5612
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6416
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6480
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6960
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7116
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6664
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6824
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7064
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6404
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6784
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6924
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7108
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6624
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A85E293ADB425FB7C0430E00AAA4C0
  2⤵
  - Loads dropped DLL
  PID:2308
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 5753C276D4F3ADFC15562F049F17ADD7
  2⤵
  - Loads dropped DLL
  PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xUIKAjs.sys

Filesize
85KB

MD5
9e02a830dd1c04264560cdc3005902b7

SHA1
24c4a56e4f87505f561f15a85a544186bab92432

SHA256
b9a363908ad335c22a818debdd26162674e7c309ea500fbbdfcf38135eb699b9

SHA512
e4b0e0d924e38e20f3aff3065adfaa1def40864ccccf0317b17de265c1f633045594cd54e5f0ae46be36481127b1074db35ba7d0b7dc6f47e11f99161da33466

Download Submit
C:\Windows\1.bat

Filesize
42B

MD5
18d3752c6c325712a320bb1b2998a7bd

SHA1
9d3cb84ccb53262b9c7ca44b38f1d4416e6ae9c3

SHA256
755fff78e98c0dd3075163c0bd71cdf4314da964e4b1c4b0de478ebcd10b0af4

SHA512
56c456708cd3645bd6419359f269eec08f46af908b1b64cd64d753ee2a1aa0f51725453503a96ed5ed55a80d78f3f3341abe0d20a685d5230299b877c692dea1

Download Submit
C:\Windows\1.exe

Filesize
10.8MB

MD5
96bfd496709cc75f4939ca11c9b045eb

SHA1
72ead43075708180c362884d06fbab2a75230cd7

SHA256
e056e04ff148d3fca67e6da9e350cd872f221285f977cf83245cbd947b3d5de3

SHA512
b14cd4c5f47c06a956e47c7447999488a948efbaefc70c1f2f7f8ed9150a439c3f48623cd76962c20cd8830e7f3e707d4c6c69335c832fc657f3867add6e5d78

Download Submit
C:\Windows\2.exe

Filesize
9KB

MD5
a4b655c4580fad879c431ac265bd1409

SHA1
f98d37a7c2a5a24f7d6871c87d150de4417e00ad

SHA256
2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad

SHA512
af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854

Download Submit
C:\Windows\3.exe

Filesize
336KB

MD5
1d4337ef26c6fa3cdde77d0231436d6c

SHA1
b53dd07d87c32f091e66b51d13c21f7dc4238c43

SHA256
f7b5d410bd2fdad9da1ab6641a592f0028e9aea83bf323cd3b0766a1cfb67d32

SHA512
91f20b2ac86054880480546e3d8d704079eff9e1f358995af15fbf72350037b0cbf8822a285cf9ac7bf6c3fab5f75529fc9087a2962deb584e0b07bca47c686d

Download Submit
C:\Windows\Installer\MSI67D7.tmp

Filesize
257KB

MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSI6884.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI6A4A.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSI6A9A.tmp

Filesize
148KB

MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
C:\Windows\Installer\MSI6C13.tmp

Filesize
86KB

MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL

Filesize
953KB

MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
memory/1620-1367-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-1220-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-582-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-537-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-807-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-953-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-1075-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-661-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-1492-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-337-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-1641-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-1781-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-1906-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1620-2049-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1752-558-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1752-559-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1752-331-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1752-330-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/1752-332-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1752-334-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1752-333-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1752-557-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1752-0-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/1752-560-0x0000000006770000-0x0000000006851000-memory.dmp

Filesize
900KB

Download
memory/1800-172-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-24-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-272-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-336-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-171-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-27-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-10-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-12-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-15-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-18-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-23-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-25-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-26-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1800-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2220-538-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download