guloader | 86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
Size

498KB
MD5

4a0c104a8b44b6607bf92dc24972db67
SHA1

7950f8f92c4778f16e7f10313233ea6ddec0b990
SHA256

86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208
SHA512

a142af9a7c5c9221f185245ca3834432cdc5a19bca51c15d27ce51bdbf8c609e5dc75241e58616f84c3001685b923696b7ca04e97e13c54212739ed2f68e9698
SSDEEP

6144:AC2Evn/IvIrb2mU/Vy5NkiQETBtCK1A/Dsz0KIS8QxNRuv0j1JtX7PXjrnCgLa55:VnC8CmU/MjkoBtCKmwxNEgzjLEcvB0

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ejikeguys.lol:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IR0L2E
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 64 IoCs

pid	Process
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3320	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
3320	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3792 set thread context of 3320	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	677

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\russifier\stikprvestandardafvigelserne.lnk	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4308	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	86
PID 3792 wrote to memory of 4308	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	86
PID 3792 wrote to memory of 4308	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	86
PID 3792 wrote to memory of 944	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	88
PID 3792 wrote to memory of 944	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	88
PID 3792 wrote to memory of 944	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	88
PID 3792 wrote to memory of 3592	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	90
PID 3792 wrote to memory of 3592	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	90
PID 3792 wrote to memory of 3592	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	90
PID 3792 wrote to memory of 4032	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	92
PID 3792 wrote to memory of 4032	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	92
PID 3792 wrote to memory of 4032	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	92
PID 3792 wrote to memory of 1188	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	94
PID 3792 wrote to memory of 1188	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	94
PID 3792 wrote to memory of 1188	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	94
PID 3792 wrote to memory of 1804	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	96
PID 3792 wrote to memory of 1804	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	96
PID 3792 wrote to memory of 1804	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	96
PID 3792 wrote to memory of 948	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	98
PID 3792 wrote to memory of 948	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	98
PID 3792 wrote to memory of 948	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	98
PID 3792 wrote to memory of 1376	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	100
PID 3792 wrote to memory of 1376	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	100
PID 3792 wrote to memory of 1376	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	100
PID 3792 wrote to memory of 2616	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	102
PID 3792 wrote to memory of 2616	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	102
PID 3792 wrote to memory of 2616	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	102
PID 3792 wrote to memory of 4092	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	104
PID 3792 wrote to memory of 4092	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	104
PID 3792 wrote to memory of 4092	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	104
PID 3792 wrote to memory of 5012	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	106
PID 3792 wrote to memory of 5012	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	106
PID 3792 wrote to memory of 5012	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	106
PID 3792 wrote to memory of 3688	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	108
PID 3792 wrote to memory of 3688	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	108
PID 3792 wrote to memory of 3688	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	108
PID 3792 wrote to memory of 744	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	110
PID 3792 wrote to memory of 744	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	110
PID 3792 wrote to memory of 744	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	110
PID 3792 wrote to memory of 3484	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	112
PID 3792 wrote to memory of 3484	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	112
PID 3792 wrote to memory of 3484	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	112
PID 3792 wrote to memory of 4180	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	114
PID 3792 wrote to memory of 4180	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	114
PID 3792 wrote to memory of 4180	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	114
PID 3792 wrote to memory of 3128	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	116
PID 3792 wrote to memory of 3128	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	116
PID 3792 wrote to memory of 3128	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	116
PID 3792 wrote to memory of 920	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	118
PID 3792 wrote to memory of 920	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	118
PID 3792 wrote to memory of 920	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	118
PID 3792 wrote to memory of 3320	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	120
PID 3792 wrote to memory of 3320	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	120
PID 3792 wrote to memory of 3320	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	120
PID 3792 wrote to memory of 5100	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	122
PID 3792 wrote to memory of 5100	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	122
PID 3792 wrote to memory of 5100	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	122
PID 3792 wrote to memory of 3948	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	124
PID 3792 wrote to memory of 3948	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	124
PID 3792 wrote to memory of 3948	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	124
PID 3792 wrote to memory of 3100	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	126
PID 3792 wrote to memory of 3100	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	126
PID 3792 wrote to memory of 3100	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	126
PID 3792 wrote to memory of 4232	3792	86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe	128

C:\Users\Admin\AppData\Local\Temp\86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
"C:\Users\Admin\AppData\Local\Temp\86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:4180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "220^177"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:32
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:4828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:4940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:4968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:3748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:3576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:4244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "231^177"
  2⤵
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:3172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:3740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:3256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:4440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:4088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:4768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "226^177"
  2⤵
  PID:4528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:4100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:4448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:4600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:4944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:4644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:3924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:3692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:4912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "155^177"
  2⤵
  PID:3104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "194^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "230^177"
  2⤵
  PID:3596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:4828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:3772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "198^177"
  2⤵
  PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe
  "C:\Users\Admin\AppData\Local\Temp\86b6cfdcb0feccdea122debf61b51c1756e53def13a4468637539264ec35d208.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsbBB62.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBB62.tmp\nsExec.dll

Filesize
6KB

MD5
4bbc9d77ef7f748f8c85750c3a445f0a

SHA1
d57a8304bb44ccdb3163b880b3c1bb213461399d

SHA256
482536968672d70279a5204060ff84ace25237f24b1bdf3b02e289d50ea5450c

SHA512
b9430939daab0c8b7e77b96f2f7f85e8e1abd9f43eccbdf94078f77ef05b31a2a31f04ca3a2eff5aa7cc965029ed437af2eb100c197ef51f128ca827ad20e902

Download Submit
memory/3320-968-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-959-0x00000000016C0000-0x000000000698B000-memory.dmp

Filesize
82.8MB

Download
memory/3320-963-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-964-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-969-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-970-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-971-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-972-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-973-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-974-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-975-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3320-976-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/3792-958-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download