snakekeylogger | c58de5f40be8fd760fc08b1ef7ae5a3f5771dbc214426156e3a21a89bb8303fc

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL EXPORT.exe
Size

775KB
MD5

0d0f944239a7dd07826e28edf9647185
SHA1

3911f09935fb37f9f6cc3ff990e12e6143282d8a
SHA256

c58de5f40be8fd760fc08b1ef7ae5a3f5771dbc214426156e3a21a89bb8303fc
SHA512

e5077fa3179d7082587d606b8c8c6b5c0d74794225394522d92a06295e962a1cdb9868ac415720e3908222cc6c55312d24868be8d8ec2e52ef81243080fe5b7e
SSDEEP

12288:7akAv7gfFvt8pjs0p1cvxM/r9RKGqHmIdD+c:+kiext2Y0QMz9RKHHF9D

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7377884885:AAGDE6_d9hXHQkXeQnXVnXZia5CIJu4gajM/sendMessage?chat_id=7161549085

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/2172-985-0x00000000004A0000-0x0000000001502000-memory.dmp	family_snakekeylogger
behavioral1/memory/2172-986-0x00000000004A0000-0x00000000004C6000-memory.dmp	family_snakekeylogger

Loads dropped DLL 64 IoCs

pid	Process
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe
2252	DHL EXPORT.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL EXPORT.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL EXPORT.exe
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL EXPORT.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2172	DHL EXPORT.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2252	DHL EXPORT.exe
2172	DHL EXPORT.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2172	2252	DHL EXPORT.exe	618

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\rampire.lnk	DHL EXPORT.exe
File opened for modification	C:\Program Files (x86)\breplanerne\Pist.ini	DHL EXPORT.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\sysselstter\Complexer.ini	DHL EXPORT.exe
File opened for modification	C:\Windows\resources\0409\Markazes\Sprtter.Dem	DHL EXPORT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	DHL EXPORT.exe
2172	DHL EXPORT.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2252	DHL EXPORT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	DHL EXPORT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2676	2252	DHL EXPORT.exe	30
PID 2252 wrote to memory of 2676	2252	DHL EXPORT.exe	30
PID 2252 wrote to memory of 2676	2252	DHL EXPORT.exe	30
PID 2252 wrote to memory of 2676	2252	DHL EXPORT.exe	30
PID 2252 wrote to memory of 2572	2252	DHL EXPORT.exe	32
PID 2252 wrote to memory of 2572	2252	DHL EXPORT.exe	32
PID 2252 wrote to memory of 2572	2252	DHL EXPORT.exe	32
PID 2252 wrote to memory of 2572	2252	DHL EXPORT.exe	32
PID 2252 wrote to memory of 2672	2252	DHL EXPORT.exe	34
PID 2252 wrote to memory of 2672	2252	DHL EXPORT.exe	34
PID 2252 wrote to memory of 2672	2252	DHL EXPORT.exe	34
PID 2252 wrote to memory of 2672	2252	DHL EXPORT.exe	34
PID 2252 wrote to memory of 2580	2252	DHL EXPORT.exe	36
PID 2252 wrote to memory of 2580	2252	DHL EXPORT.exe	36
PID 2252 wrote to memory of 2580	2252	DHL EXPORT.exe	36
PID 2252 wrote to memory of 2580	2252	DHL EXPORT.exe	36
PID 2252 wrote to memory of 2600	2252	DHL EXPORT.exe	38
PID 2252 wrote to memory of 2600	2252	DHL EXPORT.exe	38
PID 2252 wrote to memory of 2600	2252	DHL EXPORT.exe	38
PID 2252 wrote to memory of 2600	2252	DHL EXPORT.exe	38
PID 2252 wrote to memory of 2420	2252	DHL EXPORT.exe	40
PID 2252 wrote to memory of 2420	2252	DHL EXPORT.exe	40
PID 2252 wrote to memory of 2420	2252	DHL EXPORT.exe	40
PID 2252 wrote to memory of 2420	2252	DHL EXPORT.exe	40
PID 2252 wrote to memory of 2976	2252	DHL EXPORT.exe	42
PID 2252 wrote to memory of 2976	2252	DHL EXPORT.exe	42
PID 2252 wrote to memory of 2976	2252	DHL EXPORT.exe	42
PID 2252 wrote to memory of 2976	2252	DHL EXPORT.exe	42
PID 2252 wrote to memory of 748	2252	DHL EXPORT.exe	44
PID 2252 wrote to memory of 748	2252	DHL EXPORT.exe	44
PID 2252 wrote to memory of 748	2252	DHL EXPORT.exe	44
PID 2252 wrote to memory of 748	2252	DHL EXPORT.exe	44
PID 2252 wrote to memory of 280	2252	DHL EXPORT.exe	46
PID 2252 wrote to memory of 280	2252	DHL EXPORT.exe	46
PID 2252 wrote to memory of 280	2252	DHL EXPORT.exe	46
PID 2252 wrote to memory of 280	2252	DHL EXPORT.exe	46
PID 2252 wrote to memory of 1272	2252	DHL EXPORT.exe	48
PID 2252 wrote to memory of 1272	2252	DHL EXPORT.exe	48
PID 2252 wrote to memory of 1272	2252	DHL EXPORT.exe	48
PID 2252 wrote to memory of 1272	2252	DHL EXPORT.exe	48
PID 2252 wrote to memory of 1156	2252	DHL EXPORT.exe	50
PID 2252 wrote to memory of 1156	2252	DHL EXPORT.exe	50
PID 2252 wrote to memory of 1156	2252	DHL EXPORT.exe	50
PID 2252 wrote to memory of 1156	2252	DHL EXPORT.exe	50
PID 2252 wrote to memory of 2372	2252	DHL EXPORT.exe	52
PID 2252 wrote to memory of 2372	2252	DHL EXPORT.exe	52
PID 2252 wrote to memory of 2372	2252	DHL EXPORT.exe	52
PID 2252 wrote to memory of 2372	2252	DHL EXPORT.exe	52
PID 2252 wrote to memory of 536	2252	DHL EXPORT.exe	54
PID 2252 wrote to memory of 536	2252	DHL EXPORT.exe	54
PID 2252 wrote to memory of 536	2252	DHL EXPORT.exe	54
PID 2252 wrote to memory of 536	2252	DHL EXPORT.exe	54
PID 2252 wrote to memory of 2044	2252	DHL EXPORT.exe	56
PID 2252 wrote to memory of 2044	2252	DHL EXPORT.exe	56
PID 2252 wrote to memory of 2044	2252	DHL EXPORT.exe	56
PID 2252 wrote to memory of 2044	2252	DHL EXPORT.exe	56
PID 2252 wrote to memory of 1832	2252	DHL EXPORT.exe	58
PID 2252 wrote to memory of 1832	2252	DHL EXPORT.exe	58
PID 2252 wrote to memory of 1832	2252	DHL EXPORT.exe	58
PID 2252 wrote to memory of 1832	2252	DHL EXPORT.exe	58
PID 2252 wrote to memory of 2112	2252	DHL EXPORT.exe	60
PID 2252 wrote to memory of 2112	2252	DHL EXPORT.exe	60
PID 2252 wrote to memory of 2112	2252	DHL EXPORT.exe	60
PID 2252 wrote to memory of 2112	2252	DHL EXPORT.exe	60

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL EXPORT.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL EXPORT.exe

C:\Users\Admin\AppData\Local\Temp\DHL EXPORT.exe
"C:\Users\Admin\AppData\Local\Temp\DHL EXPORT.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "220^177"
  2⤵
  PID:892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "231^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "226^177"
  2⤵
  PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "155^177"
  2⤵
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "194^177"
  2⤵
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "230^177"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "198^177"
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\DHL EXPORT.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL EXPORT.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy18BF.tmp\System.dll

Filesize
11KB

MD5
4d3b19a81bd51f8ce44b93643a4e3a99

SHA1
35f8b00e85577b014080df98bd2c378351d9b3e9

SHA256
fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

SHA512
b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

Download Submit
\Users\Admin\AppData\Local\Temp\nsy18BF.tmp\nsExec.dll

Filesize
6KB

MD5
3eb4cd50dcb9f5981f5408578cb7fb70

SHA1
13b38cc104ba6ee22dc4dfa6e480e36587f4bc71

SHA256
1c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf

SHA512
5a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324

Download Submit
memory/2172-985-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/2172-986-0x00000000004A0000-0x00000000004C6000-memory.dmp

Filesize
152KB

Download
memory/2252-963-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download