blackmoon | 651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Size

11.8MB
MD5

381b8a02c7c20bedde20f97933a4a2e6
SHA1

2bb6e6116cef9905a2ce8f2dd0b535229a0122ae
SHA256

651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572
SHA512

fe7392e0c7632b8c26f96d509cde27d151382b41c74ed6ca5ac28c35e51ab467620edc4bc729dd283b26baf2a3754c07e40b31e260efab5c201ee17b8e1387a1
SSDEEP

196608:9IJ6eA5cPmiRqfk0ScX/eBDv+cRc7A4Yn7WILy+aEkcGXe6bqmOIhJZEFIxgabSR:9f1xAcX/Or/M07neRJXe6basrSsgabI

Score

10^/10

blackmoon banker bootkit evasion persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/4940-0-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon
behavioral2/memory/4940-49-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon
behavioral2/memory/4940-173-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon
behavioral2/memory/4940-221-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 3 IoCs

pid	Process
4184	1.exe
4800	3.exe
820	2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1920-38-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/1920-39-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/1920-42-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/1920-44-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/1920-45-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/1920-43-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/1920-37-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/files/0x0008000000023387-115.dat	upx
behavioral2/memory/4800-178-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/1920-216-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/4800-217-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-219-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-222-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-224-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-226-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-228-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-230-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-233-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-235-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-237-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-239-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-241-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4800-245-0x0000000000400000-0x00000000004E1000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "1.bmp"	3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	cmd.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\1.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File created	\??\c:\Windows\2.exe	3.exe
File opened for modification	\??\c:\Windows\1.bat	3.exe
File created	\??\c:\Windows\1.ico	3.exe
File opened for modification	\??\c:\Windows\3.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File created	\??\c:\Windows\1.bat	3.exe
File opened for modification	C:\Windows\Globalization\ICU\icudtl.dat	cmd.exe
File created	\??\c:\Windows\3.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File opened for modification	\??\c:\Windows\1.ico	3.exe
File created	\??\c:\Windows\1.exe	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
File created	C:\Windows\1.bmp	3.exe
File opened for modification	C:\Windows\1.bmp	3.exe
File opened for modification	\??\c:\Windows\2.exe	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\TileWallpaper = "2"	3.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.wma\ = "wma"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\Shell	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.bmp\ = "bmp"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exe"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\EditFlags = "2"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bat	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png\DefaultIcon	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wav\Shell\Open	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\DefaultIcon	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.mp3\ = "mp3"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wma\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wav\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wma\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\DefaultIcon	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wma\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\Shell\Open	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\png\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wma	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "rar"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wma\DefaultIcon	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png\Shell	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.png\ = "png"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\Shell\Open	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\Shell\Open\Command	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "bat"	3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Token: SeDebugPrivilege	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
Token: 33	3548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3548	AUDIODG.EXE
Token: SeCreateGlobalPrivilege	13064	dwm.exe
Token: SeChangeNotifyPrivilege	13064	dwm.exe
Token: 33	13064	dwm.exe
Token: SeIncBasePriorityPrivilege	13064	dwm.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
1920	ctfmon.exe
1920	ctfmon.exe
1920	ctfmon.exe
1920	ctfmon.exe
4184	1.exe
4184	1.exe
4184	1.exe
4800	3.exe
4800	3.exe
4800	3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 1632	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	85
PID 4940 wrote to memory of 1632	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	85
PID 4940 wrote to memory of 1632	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	85
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 1920	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	86
PID 4940 wrote to memory of 4184	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	100
PID 4940 wrote to memory of 4184	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	100
PID 4940 wrote to memory of 4184	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	100
PID 4940 wrote to memory of 4800	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	102
PID 4940 wrote to memory of 4800	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	102
PID 4940 wrote to memory of 4800	4940	651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe	102
PID 4800 wrote to memory of 820	4800	3.exe	104
PID 4800 wrote to memory of 820	4800	3.exe	104
PID 4800 wrote to memory of 820	4800	3.exe	104
PID 4800 wrote to memory of 2852	4800	3.exe	105
PID 4800 wrote to memory of 2852	4800	3.exe	105
PID 4800 wrote to memory of 2852	4800	3.exe	105
PID 4800 wrote to memory of 4440	4800	3.exe	107
PID 4800 wrote to memory of 4440	4800	3.exe	107
PID 4800 wrote to memory of 4440	4800	3.exe	107
PID 4800 wrote to memory of 2884	4800	3.exe	109
PID 4800 wrote to memory of 2884	4800	3.exe	109
PID 4800 wrote to memory of 2884	4800	3.exe	109
PID 4800 wrote to memory of 4336	4800	3.exe	111
PID 4800 wrote to memory of 4336	4800	3.exe	111
PID 4800 wrote to memory of 4336	4800	3.exe	111
PID 4800 wrote to memory of 3992	4800	3.exe	113
PID 4800 wrote to memory of 3992	4800	3.exe	113
PID 4800 wrote to memory of 3992	4800	3.exe	113
PID 4800 wrote to memory of 116	4800	3.exe	115
PID 4800 wrote to memory of 116	4800	3.exe	115
PID 4800 wrote to memory of 116	4800	3.exe	115
PID 4800 wrote to memory of 1860	4800	3.exe	117
PID 4800 wrote to memory of 1860	4800	3.exe	117
PID 4800 wrote to memory of 1860	4800	3.exe	117
PID 4800 wrote to memory of 3352	4800	3.exe	119
PID 4800 wrote to memory of 3352	4800	3.exe	119
PID 4800 wrote to memory of 3352	4800	3.exe	119
PID 4800 wrote to memory of 2864	4800	3.exe	121
PID 4800 wrote to memory of 2864	4800	3.exe	121
PID 4800 wrote to memory of 2864	4800	3.exe	121
PID 4800 wrote to memory of 1096	4800	3.exe	124
PID 4800 wrote to memory of 1096	4800	3.exe	124
PID 4800 wrote to memory of 1096	4800	3.exe	124
PID 4800 wrote to memory of 4844	4800	3.exe	126
PID 4800 wrote to memory of 4844	4800	3.exe	126
PID 4800 wrote to memory of 4844	4800	3.exe	126
PID 4800 wrote to memory of 2204	4800	3.exe	128
PID 4800 wrote to memory of 2204	4800	3.exe	128
PID 4800 wrote to memory of 2204	4800	3.exe	128
PID 4800 wrote to memory of 3996	4800	3.exe	130
PID 4800 wrote to memory of 3996	4800	3.exe	130
PID 4800 wrote to memory of 3996	4800	3.exe	130
PID 4800 wrote to memory of 3556	4800	3.exe	132
PID 4800 wrote to memory of 3556	4800	3.exe	132
PID 4800 wrote to memory of 3556	4800	3.exe	132
PID 4800 wrote to memory of 5100	4800	3.exe	134
PID 4800 wrote to memory of 5100	4800	3.exe	134

C:\Users\Admin\AppData\Local\Temp\651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe
"C:\Users\Admin\AppData\Local\Temp\651c927b53fd06ecaa5658c6708a6e669731bfb6621612b1da496aa0666b3572.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:1632
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1920
- C:\Windows\1.exe
  "C:\Windows\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4184
- C:\Windows\3.exe
  "C:\Windows\3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\2.exe
    "C:\Windows\2.exe"
    3⤵
    - Executes dropped EXE
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Windows\1.bat"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:116
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6180
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6348
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6456
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6504
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6648
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6756
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6808
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6924
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7000
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6984
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:376
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7280
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7348
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7424
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7528
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7604
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7668
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7744
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7812
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7912
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8044
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8112
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7196
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6280
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7404
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7444
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7176
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8108
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8228
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8348
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8416
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8480
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8680
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8756
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8812
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8880
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8940
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9144
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9204
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8360
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8412
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6260
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9008
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8472
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6920
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9232
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9284
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9392
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9452
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9512
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9576
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9660
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9964
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10076
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10140
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10192
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9640
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10088
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10152
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9636
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9984
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7496
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10348
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10408
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10460
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10516
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10568
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10624
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10728
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10784
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10844
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10960
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11020
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11076
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11128
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11192
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11244
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6424
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10580
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8628
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9140
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6492
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11188
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7104
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7236
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9280
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9568
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7928
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11296
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11360
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11412
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11520
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11572
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11632
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11748
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11808
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11860
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11968
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12076
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12136
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12200
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12252
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9764
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9860
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7872
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:7656
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:9856
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12148
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:8308
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:11424
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12312
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12428
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12556
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12664
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12708
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12884
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12944
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12352
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:10564
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12636
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:12984
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    PID:13016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390 0x51c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e576bb0.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\e576bb1.tmp

Filesize
1.6MB

MD5
5870ea0d6ba8dd6e2008466bdd00e0f4

SHA1
d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5

SHA256
5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d

SHA512
0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

Download Submit
C:\Users\Admin\AppData\Local\Temp\e576bb2.tmp

Filesize
137KB

MD5
f6b847a54cfb804a25b8842b45fd1d50

SHA1
bb22fef07ce1577c8a7fa057d8cf05502c013bfc

SHA256
5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583

SHA512
dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a

Download Submit
C:\Windows\1.bat

Filesize
42B

MD5
18d3752c6c325712a320bb1b2998a7bd

SHA1
9d3cb84ccb53262b9c7ca44b38f1d4416e6ae9c3

SHA256
755fff78e98c0dd3075163c0bd71cdf4314da964e4b1c4b0de478ebcd10b0af4

SHA512
56c456708cd3645bd6419359f269eec08f46af908b1b64cd64d753ee2a1aa0f51725453503a96ed5ed55a80d78f3f3341abe0d20a685d5230299b877c692dea1

Download Submit
C:\Windows\1.exe

Filesize
10.8MB

MD5
96bfd496709cc75f4939ca11c9b045eb

SHA1
72ead43075708180c362884d06fbab2a75230cd7

SHA256
e056e04ff148d3fca67e6da9e350cd872f221285f977cf83245cbd947b3d5de3

SHA512
b14cd4c5f47c06a956e47c7447999488a948efbaefc70c1f2f7f8ed9150a439c3f48623cd76962c20cd8830e7f3e707d4c6c69335c832fc657f3867add6e5d78

Download Submit
C:\Windows\2.exe

Filesize
9KB

MD5
a4b655c4580fad879c431ac265bd1409

SHA1
f98d37a7c2a5a24f7d6871c87d150de4417e00ad

SHA256
2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad

SHA512
af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854

Download Submit
C:\Windows\3.exe

Filesize
336KB

MD5
1d4337ef26c6fa3cdde77d0231436d6c

SHA1
b53dd07d87c32f091e66b51d13c21f7dc4238c43

SHA256
f7b5d410bd2fdad9da1ab6641a592f0028e9aea83bf323cd3b0766a1cfb67d32

SHA512
91f20b2ac86054880480546e3d8d704079eff9e1f358995af15fbf72350037b0cbf8822a285cf9ac7bf6c3fab5f75529fc9087a2962deb584e0b07bca47c686d

Download Submit
memory/820-218-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1920-45-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-42-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-37-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-43-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-38-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-44-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-216-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-39-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4800-219-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-235-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-245-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-217-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-241-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-239-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-237-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-222-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-224-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-226-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-228-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-230-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-233-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4800-178-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4940-221-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/4940-49-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/4940-0-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/4940-173-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/12556-243-0x0000000000ED0000-0x0000000000F2A000-memory.dmp

Filesize
360KB

Download