bff508d3e12dfdcdb885b982a03321d9a2f66be63267de5d4f5b3214bcd58ded

Analysis

max time kernel
75s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08c9438abaa8e3d6937249f605d22c6d_JaffaCakes118.exe
Size

21KB
MD5

08c9438abaa8e3d6937249f605d22c6d
SHA1

f561d57ef532c81fd00e46eeceaeb48e6df3ef54
SHA256

bff508d3e12dfdcdb885b982a03321d9a2f66be63267de5d4f5b3214bcd58ded
SHA512

4486964b8bc17cfec237aa8c0dfe505ff5051a7ab42894e8f7275b5d824b579ec69333cdb53300c0363514b7d5046bbc3a48f5c51047655b207282a910aa5e19
SSDEEP

384:74tMMh41kqeTCCkeGd2zTRC8mqtzCHnNvR5IOvrvE:AO7HQpmqtazfvr

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1088	netsh.exe
4708	netsh.exe
1396	netsh.exe
3040	netsh.exe
4164	netsh.exe
2544	netsh.exe
4472	netsh.exe
448	netsh.exe
3252	netsh.exe
1576	netsh.exe
1696	netsh.exe
2740	netsh.exe
1380	netsh.exe
3020	netsh.exe
1868	netsh.exe
4496	netsh.exe
2436	netsh.exe
1984	netsh.exe
4076	netsh.exe
4984	netsh.exe
2316	netsh.exe
4360	netsh.exe
2828	netsh.exe
4376	netsh.exe
4012	netsh.exe
3040	netsh.exe
3680	netsh.exe
2360	netsh.exe
4852	netsh.exe
464	netsh.exe
4188	netsh.exe
3868	netsh.exe
656	netsh.exe
1336	netsh.exe
1156	netsh.exe
2772	netsh.exe
2356	netsh.exe
3772	netsh.exe
1112	netsh.exe
3608	netsh.exe
3188	netsh.exe
2016	netsh.exe
928	netsh.exe
396	netsh.exe
4504	netsh.exe
3124	netsh.exe
4624	netsh.exe
1608	netsh.exe
4484	netsh.exe
1264	netsh.exe
4072	netsh.exe
2184	netsh.exe
4532	netsh.exe
3576	netsh.exe
4072	netsh.exe
1664	netsh.exe
4176	netsh.exe
2532	netsh.exe
4140	netsh.exe
4080	netsh.exe
1232	netsh.exe
1696	netsh.exe
4424	netsh.exe
3548	netsh.exe

Executes dropped EXE 24 IoCs

pid	Process
4300	SYSDLL.exe
556	SYSDLL.exe
2496	SYSDLL.exe
2940	SYSDLL.exe
592	SYSDLL.exe
928	SYSDLL.exe
1348	SYSDLL.exe
2728	SYSDLL.exe
3696	SYSDLL.exe
4892	SYSDLL.exe
3624	SYSDLL.exe
4608	SYSDLL.exe
2968	SYSDLL.exe
1164	SYSDLL.exe
2748	SYSDLL.exe
5024	SYSDLL.exe
456	SYSDLL.exe
5080	SYSDLL.exe
4936	SYSDLL.exe
4464	SYSDLL.exe
3384	SYSDLL.exe
4644	SYSDLL.exe
1628	SYSDLL.exe
1092	SYSDLL.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe
File created	C:\Windows\SysWOW64\SYSDLL.exe	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4936-0-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/files/0x00070000000234d9-7.dat	upx
behavioral2/memory/4300-12-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2496-20-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4936-28-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2940-29-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4300-34-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/556-42-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/928-44-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2496-51-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4300-50-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2940-63-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/592-70-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4936-75-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/928-77-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1348-84-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/556-89-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3624-91-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2728-92-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4608-98-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3696-100-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2968-109-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4892-108-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3624-117-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4608-126-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2968-137-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/5024-145-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1164-146-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2748-155-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/5024-162-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/456-169-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4464-176-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/5080-175-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3384-184-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4936-186-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4464-193-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1628-199-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3384-201-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1092-208-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4644-210-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3460-217-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1628-219-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1092-225-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4560-230-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3460-233-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1716-239-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3960-238-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3912-244-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4560-247-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2360-250-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1716-252-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3912-256-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3332-260-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2360-262-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1084-267-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/3332-271-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4968-272-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1084-277-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4408-278-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4968-281-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1272-284-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/4408-287-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/2024-291-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1272-296-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SYSDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4824	4936	08c9438abaa8e3d6937249f605d22c6d_JaffaCakes118.exe	82
PID 4936 wrote to memory of 4824	4936	08c9438abaa8e3d6937249f605d22c6d_JaffaCakes118.exe	82
PID 4936 wrote to memory of 4824	4936	08c9438abaa8e3d6937249f605d22c6d_JaffaCakes118.exe	82
PID 4824 wrote to memory of 2000	4824	cmd.exe	84
PID 4824 wrote to memory of 2000	4824	cmd.exe	84
PID 4824 wrote to memory of 2000	4824	cmd.exe	84
PID 4824 wrote to memory of 4852	4824	cmd.exe	85
PID 4824 wrote to memory of 4852	4824	cmd.exe	85
PID 4824 wrote to memory of 4852	4824	cmd.exe	85
PID 4824 wrote to memory of 4076	4824	cmd.exe	86
PID 4824 wrote to memory of 4076	4824	cmd.exe	86
PID 4824 wrote to memory of 4076	4824	cmd.exe	86
PID 4824 wrote to memory of 3628	4824	cmd.exe	87
PID 4824 wrote to memory of 3628	4824	cmd.exe	87
PID 4824 wrote to memory of 3628	4824	cmd.exe	87
PID 4824 wrote to memory of 2952	4824	cmd.exe	88
PID 4824 wrote to memory of 2952	4824	cmd.exe	88
PID 4824 wrote to memory of 2952	4824	cmd.exe	88
PID 4824 wrote to memory of 3732	4824	cmd.exe	89
PID 4824 wrote to memory of 3732	4824	cmd.exe	89
PID 4824 wrote to memory of 3732	4824	cmd.exe	89
PID 4824 wrote to memory of 836	4824	cmd.exe	90
PID 4824 wrote to memory of 836	4824	cmd.exe	90
PID 4824 wrote to memory of 836	4824	cmd.exe	90
PID 4824 wrote to memory of 628	4824	cmd.exe	91
PID 4824 wrote to memory of 628	4824	cmd.exe	91
PID 4824 wrote to memory of 628	4824	cmd.exe	91
PID 4824 wrote to memory of 2784	4824	cmd.exe	92
PID 4824 wrote to memory of 2784	4824	cmd.exe	92
PID 4824 wrote to memory of 2784	4824	cmd.exe	92
PID 4824 wrote to memory of 3500	4824	cmd.exe	93
PID 4824 wrote to memory of 3500	4824	cmd.exe	93
PID 4824 wrote to memory of 3500	4824	cmd.exe	93
PID 4824 wrote to memory of 4300	4824	cmd.exe	94
PID 4824 wrote to memory of 4300	4824	cmd.exe	94
PID 4824 wrote to memory of 4300	4824	cmd.exe	94
PID 4300 wrote to memory of 1356	4300	SYSDLL.exe	95
PID 4300 wrote to memory of 1356	4300	SYSDLL.exe	95
PID 4300 wrote to memory of 1356	4300	SYSDLL.exe	95
PID 1356 wrote to memory of 1052	1356	cmd.exe	97
PID 1356 wrote to memory of 1052	1356	cmd.exe	97
PID 1356 wrote to memory of 1052	1356	cmd.exe	97
PID 1356 wrote to memory of 3124	1356	cmd.exe	98
PID 1356 wrote to memory of 3124	1356	cmd.exe	98
PID 1356 wrote to memory of 3124	1356	cmd.exe	98
PID 1356 wrote to memory of 1692	1356	cmd.exe	99
PID 1356 wrote to memory of 1692	1356	cmd.exe	99
PID 1356 wrote to memory of 1692	1356	cmd.exe	99
PID 1356 wrote to memory of 3944	1356	cmd.exe	100
PID 1356 wrote to memory of 3944	1356	cmd.exe	100
PID 1356 wrote to memory of 3944	1356	cmd.exe	100
PID 1356 wrote to memory of 3196	1356	cmd.exe	101
PID 1356 wrote to memory of 3196	1356	cmd.exe	101
PID 1356 wrote to memory of 3196	1356	cmd.exe	101
PID 1356 wrote to memory of 468	1356	cmd.exe	102
PID 1356 wrote to memory of 468	1356	cmd.exe	102
PID 1356 wrote to memory of 468	1356	cmd.exe	102
PID 1356 wrote to memory of 3856	1356	cmd.exe	103
PID 1356 wrote to memory of 3856	1356	cmd.exe	103
PID 1356 wrote to memory of 3856	1356	cmd.exe	103
PID 1356 wrote to memory of 1228	1356	cmd.exe	104
PID 1356 wrote to memory of 1228	1356	cmd.exe	104
PID 1356 wrote to memory of 1228	1356	cmd.exe	104
PID 1356 wrote to memory of 3020	1356	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\08c9438abaa8e3d6937249f605d22c6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08c9438abaa8e3d6937249f605d22c6d_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\SysWOW64\netsh.exe
    netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 80 SYSDLL ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4852
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 7171 SYSDLL ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4076
- - C:\Windows\SysWOW64\netsh.exe
    netsh winhttp set proxy proxy-server="http=localhost:7171"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
    3⤵
    PID:836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
    3⤵
    PID:628
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\SYSDLL.exe
    C:\Windows\System32\SYSDLL.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
      4⤵
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1052
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:3124
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1692
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        5⤵
        
        PID:3944
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        5⤵
        
        PID:3196
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        5⤵
        
        PID:468
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3856
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        5⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
    - - C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        5⤵
        Executes dropped EXE
        
        PID:556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        6⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:2772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        7⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        7⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        7⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        7⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        7⤵
        
        PID:832
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        7⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        8⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        9⤵
        Modifies Windows Firewall
        
        PID:1088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        9⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        9⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        9⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        9⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        9⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        9⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        9⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        10⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        11⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        11⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        11⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        11⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        11⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        11⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        11⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        11⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        11⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        12⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        13⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:4472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:3188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        13⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        13⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        13⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        13⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        13⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        13⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        13⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        13⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        14⤵
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        15⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        15⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        15⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        15⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        15⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        15⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        15⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        17⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        17⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:4140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        17⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        17⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        17⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        17⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        17⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        17⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        18⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        19⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:1608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:2316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        19⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        19⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        19⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        19⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        19⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        19⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        20⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        21⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:3772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        21⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        21⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        21⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        21⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        21⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        21⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        22⤵
        
        PID:872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        23⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        23⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        23⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2828
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        23⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        23⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        23⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        23⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        23⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        23⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        24⤵
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        25⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        25⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:1232
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        25⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        25⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        25⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        25⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        25⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        26⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        27⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        27⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        27⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        27⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        27⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        27⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        27⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        28⤵
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        29⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        29⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        29⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        29⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        29⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        29⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        29⤵
        
        PID:116
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        29⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        30⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        31⤵
        Modifies Windows Firewall
        
        PID:4424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        31⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        31⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        31⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        31⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        31⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        31⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        32⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        33⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:1868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        33⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        33⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        33⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        33⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        33⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        33⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        33⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        33⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        33⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        34⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        35⤵
        Modifies Windows Firewall
        
        PID:928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        35⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        35⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        35⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        35⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        35⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        35⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        35⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        36⤵
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        37⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        37⤵
        Modifies Windows Firewall
        
        PID:1112
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        37⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        37⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        37⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        37⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        38⤵
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        39⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3732
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        39⤵
        Modifies Windows Firewall
        
        PID:656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        39⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        39⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        39⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        39⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        39⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        40⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        41⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        41⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        41⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        41⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        41⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        41⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        41⤵
        
        PID:8
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        41⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        42⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        43⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        43⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        43⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        43⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        43⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        43⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        43⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        44⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        45⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2896
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        45⤵
        Modifies Windows Firewall
        
        PID:2436
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        45⤵
        Modifies Windows Firewall
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        45⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        45⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        45⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        45⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        45⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        45⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        46⤵
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        47⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        47⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        47⤵
        Modifies Windows Firewall
        
        PID:3680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        47⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        47⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        47⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        47⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        47⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        47⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        48⤵
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        49⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        49⤵
        Modifies Windows Firewall
        
        PID:4484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        49⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        49⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        49⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        49⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        49⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        49⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        50⤵
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        51⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:4532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        51⤵
        Modifies Windows Firewall
        
        PID:448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        51⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        51⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        51⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        51⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        51⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        51⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        51⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        51⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        52⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        53⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:1664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        53⤵
        Modifies Windows Firewall
        
        PID:1336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        53⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        53⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        53⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        53⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        53⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        53⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        53⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        53⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        54⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        55⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:1396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        55⤵
        Modifies Windows Firewall
        
        PID:3548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        55⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        55⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        55⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        55⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        55⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        55⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        55⤵
        
        PID:628
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        55⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        56⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        57⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        57⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        57⤵
        Modifies Windows Firewall
        
        PID:4504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        57⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        57⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        57⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        57⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        57⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        57⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        57⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        57⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        58⤵
        
        PID:4244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        59⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        59⤵
        Modifies Windows Firewall
        
        PID:4012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        59⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        59⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        59⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        59⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        59⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        59⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        59⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        59⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        59⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        60⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        61⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        61⤵
        Modifies Windows Firewall
        
        PID:396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        61⤵
        Modifies Windows Firewall
        
        PID:3040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        61⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        61⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        61⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        61⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        61⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        61⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        61⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        61⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        62⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        63⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        63⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        63⤵
        Modifies Windows Firewall
        
        PID:2532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        63⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        63⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        63⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        63⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        63⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        63⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        63⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        63⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        64⤵
        
        PID:1540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        65⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:1984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        65⤵
        Modifies Windows Firewall
        
        PID:4496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        65⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        65⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        65⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        65⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        65⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        65⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        65⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        65⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        66⤵
        
        PID:8
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        67⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:3608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        67⤵
        Modifies Windows Firewall
        
        PID:3252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        67⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        67⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        67⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        67⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        67⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        67⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        67⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        67⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        68⤵
        
        PID:4324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        69⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        69⤵
        Modifies Windows Firewall
        
        PID:1576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        69⤵
        Modifies Windows Firewall
        
        PID:1696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        69⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        69⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        69⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        69⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        69⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        69⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        69⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        69⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        70⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        71⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        71⤵
        Modifies Windows Firewall
        
        PID:4164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        71⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        71⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        71⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        71⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        71⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        71⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        71⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        71⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        71⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        72⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        73⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        73⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        73⤵
        Modifies Windows Firewall
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        73⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        73⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        73⤵
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        73⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        73⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        73⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        73⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        73⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        74⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        75⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        75⤵
        Modifies Windows Firewall
        
        PID:2360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        75⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        75⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        75⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        75⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        75⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        75⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        75⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        75⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        75⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        76⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        77⤵
        
        PID:376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        77⤵
        Modifies Windows Firewall
        
        PID:1156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        77⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        77⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        77⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        77⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        77⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        77⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        77⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        77⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        77⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        78⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        79⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:2544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        79⤵
        Modifies Windows Firewall
        
        PID:4176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        79⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        79⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        79⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        79⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        79⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        79⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 01 /f
        79⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\SYSDLL.exe
        
        C:\Windows\System32\SYSDLL.exe
        79⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\SYSDLL.bat
        80⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh add allowedprogram "SYSDLL" C:\Windows\System32\SYSDLL.exe ENABLE
        81⤵
        
        PID:224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 80 SYSDLL ENABLE
        81⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add portopening TCP 7171 SYSDLL ENABLE
        81⤵
        Modifies Windows Firewall
        
        PID:2184
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh winhttp set proxy proxy-server="http=localhost:7171"
        81⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        81⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
        81⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        81⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /d "*.local;<local>" /f
        81⤵
        
        PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\o5napjtc.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.js

Filesize
629B

MD5
706e7f3cb24b5ff4bc8ccff43331c5b9

SHA1
b161225b7abf0ce36a927a4acd58d4b4681c0b70

SHA256
e87bb5029251874ebf43204362a06a12bb2185bb365550b300a537ec4177b91a

SHA512
1bc399da080e36407d61bf0b85d3752bab95d4ffba9810d7f124718e911d919177c9a59c7283baafc5710fbaf6452330eb959d20142f3c00f355569253178107

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
d5fa457d6739d4321db44a17ae59f088

SHA1
0e7f5dc4367bf47563d0531828d0fdabbdb37137

SHA256
c7ae08f704ade417c6dbb2194424356413f97fdfc79d11853101b7819a9da22a

SHA512
fa2c15d40155b6e60efaf464584d581bd616ed0ea571df0c54ad130110bbd3a335147b40f6585f69e1319506d073eced81839a926aaf4a763314b07f86db83e8

Download Submit
C:\Windows\SysWOW64\SYSDLL.exe

Filesize
21KB

MD5
08c9438abaa8e3d6937249f605d22c6d

SHA1
f561d57ef532c81fd00e46eeceaeb48e6df3ef54

SHA256
bff508d3e12dfdcdb885b982a03321d9a2f66be63267de5d4f5b3214bcd58ded

SHA512
4486964b8bc17cfec237aa8c0dfe505ff5051a7ab42894e8f7275b5d824b579ec69333cdb53300c0363514b7d5046bbc3a48f5c51047655b207282a910aa5e19

Download Submit
\??\c:\SYSDLL.bat

Filesize
1KB

MD5
fe63f4adb3197fc376bacb133b4d6999

SHA1
a0f8dfceebb0a158bfa11e29b5716f09313d13c0

SHA256
787e2e4cfc6cb786a1605deb47ab08b1316f9b8fa8363509b6bb1bdafe68a2b7

SHA512
624211fdfb097ac3f1f7f3a9fc72857abe433b7af870c13c556c9c14823f802aa4268e989c2c2af80296dc8718864d8082e10b4a579739995f19e97705b02e69

Download Submit
\??\c:\SYSDLL.bat

Filesize
1KB

MD5
5468d3df284f2195c22379d708f586f8

SHA1
411525c1bd54c5895e7acea173bb99fa247ca327

SHA256
ec5e9ee70d0febab460f361e9abdf2df8a06e22aa90ab2eaa21144e6d89397ee

SHA512
f0cbbc2cbe9da8eafd5be387cbeee8119693f78772255a4c124dd1b76dd6b67cc4d0b2151a38ac4c5534c6f649231bdb6cbda8a858a540cf6f60529b9f3df6bc

Download Submit
memory/456-169-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/556-89-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/556-42-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/592-70-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/928-44-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/928-77-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1084-267-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1084-277-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1092-208-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1092-225-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1164-146-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1272-284-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1272-296-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1348-84-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1628-219-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1628-199-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1716-239-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1716-252-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2024-291-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2024-299-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2360-250-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2360-262-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2496-20-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2496-51-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2728-92-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2748-155-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2940-29-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2940-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2968-109-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2968-137-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3160-304-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3160-312-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3332-271-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3332-260-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3384-184-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3384-201-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3460-233-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3460-217-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3624-117-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3624-91-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3696-100-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3912-256-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3912-244-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3960-238-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4300-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4300-50-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4300-12-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4408-287-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4408-278-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4464-176-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4464-193-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4560-247-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4560-230-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4608-126-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4608-98-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4644-210-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4648-307-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4892-108-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4936-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4936-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4936-186-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4936-75-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4968-281-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4968-272-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5024-162-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5024-145-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5080-175-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads