guloader | 86501b9b040efe6e4e14f4cc59f5a3de7f271a1843067c5f88b28732506e5871

General

Target

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
Size

242KB
MD5

4e4bc21a1c1a34037e44db52a50086d5
SHA1

1419003d268ef43d3128c11f92e9533793b07320
SHA256

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4
SHA512

2ee099ce340f23a535726a4310d0e40fabd23e3e4ded625fe4fc18ea2cda3c6346d28a14f91c73f01161d572e30090de124ca32e05265ce387dc737869db27a0
SSDEEP

6144:jmGIhq8Q9AiAaK1Ga4my15stpehMPoCYRZ5oXuc81/L:qu8xpQm/abCMZcuc81T

Score

10^/10

guloader remcos remotehost downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.147.140.205:4040

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RJDWXW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 64 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

pid	process
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Printerdiskettes = "C:\\Users\\Admin\\AppData\\Roaming\\Papillon\\Pindsvinets.exe"	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

42 drive.google.com
43 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

pid process

4948 59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

flow	ioc
42	drive.google.com
43	drive.google.com

pid	process
4948	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

pid	process
4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
4948	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

description	pid	process	target process
PID 4180 set thread context of 4948	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

Drops file in Windows directory 1 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\aandede\Nskeligeres.ini	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

pid process

4948 59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

pid process

4180 59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

pid	process
4948	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe

description	pid	process	target process
PID 4180 wrote to memory of 532	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 532	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 532	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4716	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4716	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4716	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2488	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2488	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2488	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 5080	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 5080	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 5080	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4552	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4552	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4552	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 3684	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 3684	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 3684	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4836	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4836	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4836	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 5052	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 5052	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 5052	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 1948	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 1948	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 1948	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 664	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 664	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 664	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 3296	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 3296	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 3296	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2428	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2428	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2428	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 64	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 64	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 64	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4712	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4712	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4712	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 216	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 216	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 216	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4052	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4052	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4052	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4296	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4296	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4296	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4336	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4336	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4336	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2024	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2024	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2024	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2804	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2804	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 2804	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4292	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4292	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4292	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe
PID 4180 wrote to memory of 4740	4180	59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
"C:\Users\Admin\AppData\Local\Temp\59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
2⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
2⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
2⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
2⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1E^38"
2⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6D^38"
2⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x74^38"
2⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x68^38"
2⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6A^38"
2⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x70^38"
2⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
2⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0B^38"
2⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
2⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4D^38"
2⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
2⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
2⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x65^38"
2⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
2⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:3732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x76^38"
2⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
2⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4712

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4224

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4208

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4380

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe
"C:\Users\Admin\AppData\Local\Temp\59cfbef2d28f5f8df3c98d8525acf710bbad31e3bed87ccb6d8c3d9f5a9d8fe4.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh31FE.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh31FE.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
memory/4180-624-0x0000000004A60000-0x00000000060A1000-memory.dmp

Filesize
22.3MB

Download
memory/4180-618-0x0000000004A60000-0x00000000060A1000-memory.dmp

Filesize
22.3MB

Download
memory/4180-619-0x0000000077081000-0x00000000771A1000-memory.dmp

Filesize
1.1MB

Download
memory/4180-620-0x0000000073CD0000-0x0000000073CD7000-memory.dmp

Filesize
28KB

Download
memory/4948-642-0x00000000004A0000-0x0000000001AE1000-memory.dmp

Filesize
22.3MB

Download
memory/4948-645-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-625-0x0000000077081000-0x00000000771A1000-memory.dmp

Filesize
1.1MB

Download
memory/4948-638-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-621-0x00000000004A0000-0x0000000001AE1000-memory.dmp

Filesize
22.3MB

Download
memory/4948-643-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-644-0x00000000004A0000-0x0000000001AE1000-memory.dmp

Filesize
22.3MB

Download
memory/4948-622-0x0000000077108000-0x0000000077109000-memory.dmp

Filesize
4KB

Download
memory/4948-646-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-647-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-648-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-649-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-650-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-651-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-652-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download
memory/4948-653-0x0000000072A70000-0x0000000073CC4000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads