blackmoon | db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee

General

Target

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
Size

11.8MB
MD5

ebc646cbb3d02b21472aa13efdd4e344
SHA1

6d011b7dc10c644d6c5d85132dd091743a178409
SHA256

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee
SHA512

e09276812716f369ac02403493f9a60215f0f9d0ac19206681740243dc040c7868c5ceb9570c1459173a5ff2213b846034ec82145ef5d52b28d252aff65e6906
SSDEEP

196608:qIJ6eA5cPmiRqfk0ScX/eBDv+cRc7A4Yn7WILy+aEkcGXe6bqmOIhJZEFIxgabSR:qf1xAcX/Or/M07neRJXe6basrSsgabI

Score

10^/10

blackmoon banker bootkit evasion persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4368-0-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon
behavioral2/memory/4368-49-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon
behavioral2/memory/4368-53-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon
behavioral2/memory/4368-221-0x0000000000400000-0x0000000001222000-memory.dmp	family_blackmoon

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 3 IoCs

Processes:

1.exe3.exe2.exe

pid process

1668 1.exe
996 3.exe
3316 2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1668	1.exe
996	3.exe
3316	2.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4236-40-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/4236-37-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/4236-42-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/4236-38-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/4236-44-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/4236-43-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/4236-45-0x0000000000400000-0x000000000055A000-memory.dmp	upx
C:\Windows\3.exe	upx
behavioral2/memory/996-175-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/4236-174-0x0000000000400000-0x000000000055A000-memory.dmp	upx
behavioral2/memory/996-217-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-219-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-222-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-224-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-226-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-228-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-231-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-233-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-235-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-237-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-239-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-241-0x0000000000400000-0x00000000004E1000-memory.dmp	upx
behavioral2/memory/996-243-0x0000000000400000-0x00000000004E1000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe

description ioc process

File opened for modification \??\physicaldrive0 db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

3.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "1.bmp" 3.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "1.bmp"	3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe

description	pid	process	target process
PID 4368 set thread context of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe

Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	cmd.exe

Drops file in Windows directory 13 IoCs

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe3.execmd.exe

description	ioc	process
File created	\??\c:\Windows\1.exe	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
File created	\??\c:\Windows\3.exe	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
File created	\??\c:\Windows\1.ico	3.exe
File opened for modification	C:\Windows\Globalization\ICU\icudtl.dat	cmd.exe
File opened for modification	\??\c:\Windows\1.exe	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
File opened for modification	\??\c:\Windows\2.exe	3.exe
File opened for modification	\??\c:\Windows\1.bat	3.exe
File opened for modification	\??\c:\Windows\3.exe	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
File created	\??\c:\Windows\2.exe	3.exe
File opened for modification	\??\c:\Windows\1.ico	3.exe
File created	C:\Windows\1.bmp	3.exe
File opened for modification	C:\Windows\1.bmp	3.exe
File created	\??\c:\Windows\1.bat	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\WallpaperStyle = "2"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\TileWallpaper = "2"	3.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Modifies registry class 64 IoCs

Processes:

3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wav\Shell	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.mp4\ = "mp4"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\DefaultIcon	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\DefaultIcon	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\Shell\Open	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "bat"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\EditFlags = "2"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\EditFlags = "2"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.bmp\ = "bmp"	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.wma\ = "wma"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\DefaultIcon	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png\Shell	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\DefaultIcon	3.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnk\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\png	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\EditFlags = "2"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wma\DefaultIcon	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell\Open	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\EditFlags = "2"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\wav\EditFlags = "2"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\Shell\Open	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\DefaultIcon	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\DefaultIcon	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\Shell	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\DefaultIcon\ = "c:\\Windows\\1.ico,0"	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wav	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmp\Shell	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\png\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txt\Shell\Open\Command	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bat	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\bat\EditFlags = "2"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpg\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip\Shell\Open	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Desktop\\\" \"%1\""	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gif\DefaultIcon	3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rmvb\Shell	3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe

pid	process
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exeAUDIODG.EXEdwm.exe

description	pid	process
Token: SeDebugPrivilege	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
Token: SeDebugPrivilege	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
Token: 33	4080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4080	AUDIODG.EXE
Token: SeCreateGlobalPrivilege	8292	dwm.exe
Token: SeChangeNotifyPrivilege	8292	dwm.exe
Token: 33	8292	dwm.exe
Token: SeIncBasePriorityPrivilege	8292	dwm.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exectfmon.exe1.exe3.exe

pid	process
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
4236	ctfmon.exe
4236	ctfmon.exe
4236	ctfmon.exe
4236	ctfmon.exe
1668	1.exe
1668	1.exe
1668	1.exe
996	3.exe
996	3.exe
996	3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe3.exe

description	pid	process	target process
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 4236	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	ctfmon.exe
PID 4368 wrote to memory of 1668	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	1.exe
PID 4368 wrote to memory of 1668	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	1.exe
PID 4368 wrote to memory of 1668	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	1.exe
PID 4368 wrote to memory of 996	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	3.exe
PID 4368 wrote to memory of 996	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	3.exe
PID 4368 wrote to memory of 996	4368	db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe	3.exe
PID 996 wrote to memory of 3316	996	3.exe	2.exe
PID 996 wrote to memory of 3316	996	3.exe	2.exe
PID 996 wrote to memory of 3316	996	3.exe	2.exe
PID 996 wrote to memory of 1632	996	3.exe	cmd.exe
PID 996 wrote to memory of 1632	996	3.exe	cmd.exe
PID 996 wrote to memory of 1632	996	3.exe	cmd.exe
PID 996 wrote to memory of 4716	996	3.exe	cmd.exe
PID 996 wrote to memory of 4716	996	3.exe	cmd.exe
PID 996 wrote to memory of 4716	996	3.exe	cmd.exe
PID 996 wrote to memory of 4400	996	3.exe	cmd.exe
PID 996 wrote to memory of 4400	996	3.exe	cmd.exe
PID 996 wrote to memory of 4400	996	3.exe	cmd.exe
PID 996 wrote to memory of 412	996	3.exe	cmd.exe
PID 996 wrote to memory of 412	996	3.exe	cmd.exe
PID 996 wrote to memory of 412	996	3.exe	cmd.exe
PID 996 wrote to memory of 1824	996	3.exe	cmd.exe
PID 996 wrote to memory of 1824	996	3.exe	cmd.exe
PID 996 wrote to memory of 1824	996	3.exe	cmd.exe
PID 996 wrote to memory of 1460	996	3.exe	cmd.exe
PID 996 wrote to memory of 1460	996	3.exe	cmd.exe
PID 996 wrote to memory of 1460	996	3.exe	cmd.exe
PID 996 wrote to memory of 2848	996	3.exe	cmd.exe
PID 996 wrote to memory of 2848	996	3.exe	cmd.exe
PID 996 wrote to memory of 2848	996	3.exe	cmd.exe
PID 996 wrote to memory of 1808	996	3.exe	cmd.exe
PID 996 wrote to memory of 1808	996	3.exe	cmd.exe
PID 996 wrote to memory of 1808	996	3.exe	cmd.exe
PID 996 wrote to memory of 4376	996	3.exe	cmd.exe
PID 996 wrote to memory of 4376	996	3.exe	cmd.exe
PID 996 wrote to memory of 4376	996	3.exe	cmd.exe
PID 996 wrote to memory of 4708	996	3.exe	cmd.exe
PID 996 wrote to memory of 4708	996	3.exe	cmd.exe
PID 996 wrote to memory of 4708	996	3.exe	cmd.exe
PID 996 wrote to memory of 4688	996	3.exe	cmd.exe
PID 996 wrote to memory of 4688	996	3.exe	cmd.exe
PID 996 wrote to memory of 4688	996	3.exe	cmd.exe
PID 996 wrote to memory of 2528	996	3.exe	cmd.exe
PID 996 wrote to memory of 2528	996	3.exe	cmd.exe
PID 996 wrote to memory of 2528	996	3.exe	cmd.exe
PID 996 wrote to memory of 2876	996	3.exe	cmd.exe
PID 996 wrote to memory of 2876	996	3.exe	cmd.exe
PID 996 wrote to memory of 2876	996	3.exe	cmd.exe
PID 996 wrote to memory of 2192	996	3.exe	cmd.exe
PID 996 wrote to memory of 2192	996	3.exe	cmd.exe
PID 996 wrote to memory of 2192	996	3.exe	cmd.exe
PID 996 wrote to memory of 2568	996	3.exe	cmd.exe
PID 996 wrote to memory of 2568	996	3.exe	cmd.exe
PID 996 wrote to memory of 2568	996	3.exe	cmd.exe
PID 996 wrote to memory of 2268	996	3.exe	cmd.exe
PID 996 wrote to memory of 2268	996	3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe
"C:\Users\Admin\AppData\Local\Temp\db7b1aee833461841fa12e0fbcf6a9d4a0d0d4345831c000b686cab63ea570ee.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
2⤵
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\1.exe
"C:\Windows\1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\3.exe
"C:\Windows\3.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\2.exe
"C:\Windows\2.exe"
3⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Windows\1.bat"
3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4400

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5388

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5456

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5568

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5612

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5712

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5904

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5948

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6040

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5124

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5496

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5260

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5340

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5452

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5868

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6176

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6224

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6276

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6332

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6376

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6424

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6468

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6512

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6612

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6660

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6712

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6764

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6828

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6888

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6960

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7024

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7080

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7136

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6240

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6624

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6676

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5252

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7180

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7244

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7304

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7368

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7432

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7496

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7592

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7652

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7712

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7788

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7876

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7960

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8020

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8092

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8152

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5492

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5752

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8040

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8200

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8260

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8320

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8368

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8424

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8484

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8548

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8612

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8668

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8720

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8780

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8840

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8892

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8956

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9008

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9060

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9116

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9176

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5528

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8388

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8364

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8664

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8832

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6504

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8560

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6932

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7116

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3772

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7288

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9256

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9308

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9364

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9428

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9488

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9560

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9612

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9684

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9760

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9824

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9880

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9948

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10004

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10056

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10108

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10164

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10216

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7416

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9448

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7756

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5404

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9756

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8072

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9876

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7664

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7936

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5288

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10016

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8356

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5676

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6216

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5328

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7764

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6444

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10280

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10332

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10396

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10448

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10500

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10564

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10624

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10688

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10748

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10808

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10864

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10916

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10980

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11040

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11092

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11168

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11228

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9172

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6740

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6856

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10660

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10760

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6172

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:6672

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11104

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11128

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:9252

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7460

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:7992

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11308

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11360

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11416

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11468

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11532

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11592

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11644

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11700

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11752

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11808

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11860

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11912

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11980

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12032

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12096

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12148

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12200

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12256

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10096

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:5436

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:11688

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12044

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10232

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8644

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:10608

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:8952

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12380

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12504

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12556

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12616

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12888

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:12972

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:13024

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:13088

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:13144

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:13216

C:\Windows\SysWOW64\cmd.exe
cmd.exe
3⤵
PID:13268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x524
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e574963.tmp
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\e574964.tmp
Filesize
1.6MB

MD5
5870ea0d6ba8dd6e2008466bdd00e0f4

SHA1
d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5

SHA256
5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d

SHA512
0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

Download Submit
C:\Users\Admin\AppData\Local\Temp\e574975.tmp
Filesize
137KB

MD5
f6b847a54cfb804a25b8842b45fd1d50

SHA1
bb22fef07ce1577c8a7fa057d8cf05502c013bfc

SHA256
5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583

SHA512
dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a

Download Submit
C:\Windows\1.bat
Filesize
42B

MD5
18d3752c6c325712a320bb1b2998a7bd

SHA1
9d3cb84ccb53262b9c7ca44b38f1d4416e6ae9c3

SHA256
755fff78e98c0dd3075163c0bd71cdf4314da964e4b1c4b0de478ebcd10b0af4

SHA512
56c456708cd3645bd6419359f269eec08f46af908b1b64cd64d753ee2a1aa0f51725453503a96ed5ed55a80d78f3f3341abe0d20a685d5230299b877c692dea1

Download Submit
C:\Windows\1.exe
Filesize
10.8MB

MD5
96bfd496709cc75f4939ca11c9b045eb

SHA1
72ead43075708180c362884d06fbab2a75230cd7

SHA256
e056e04ff148d3fca67e6da9e350cd872f221285f977cf83245cbd947b3d5de3

SHA512
b14cd4c5f47c06a956e47c7447999488a948efbaefc70c1f2f7f8ed9150a439c3f48623cd76962c20cd8830e7f3e707d4c6c69335c832fc657f3867add6e5d78

Download Submit
C:\Windows\2.exe
Filesize
9KB

MD5
a4b655c4580fad879c431ac265bd1409

SHA1
f98d37a7c2a5a24f7d6871c87d150de4417e00ad

SHA256
2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad

SHA512
af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854

Download Submit
C:\Windows\3.exe
Filesize
336KB

MD5
1d4337ef26c6fa3cdde77d0231436d6c

SHA1
b53dd07d87c32f091e66b51d13c21f7dc4238c43

SHA256
f7b5d410bd2fdad9da1ab6641a592f0028e9aea83bf323cd3b0766a1cfb67d32

SHA512
91f20b2ac86054880480546e3d8d704079eff9e1f358995af15fbf72350037b0cbf8822a285cf9ac7bf6c3fab5f75529fc9087a2962deb584e0b07bca47c686d

Download Submit
memory/996-231-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-239-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-233-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-222-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-228-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-226-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-237-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-235-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-175-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-224-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-241-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-243-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-219-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/996-217-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/3316-218-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4236-44-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4236-174-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4236-45-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4236-43-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4236-38-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4236-42-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4236-37-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4236-40-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/4368-221-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/4368-53-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/4368-49-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download
memory/4368-0-0x0000000000400000-0x0000000001222000-memory.dmp

Filesize
14.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads