guloader | c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
Size

501KB
MD5

07174a2dcc7016ccef4cd9cbc04e5652
SHA1

c19c203341b04f71b432f5228daaafb44e25514f
SHA256

c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98
SHA512

bd5910f9123941af67d844bfa09b53c8cd0de863163b32b8bbde4ef85356951bbce2858587727bd2ff8b39dbec9618eccb135051bc150b6217a3d55fbb9cd692
SSDEEP

6144:xC2Evn/IvIrb2m3El3AoZIvdRLM2fwk6IeldVU8lwDDtoNRuv0j1JtX7PXjrnCgN:YnC8Cmu3AMWwk6jdVUcwHeNEgzjLEcvH

Score

10^/10

guloader remcos remotehost collection discovery downloader persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

newfarmn.pro:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KB3GN4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/924-992-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2208-995-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/924-994-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1760-998-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1760-1001-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2208-1008-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/924-1009-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/924-992-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/924-994-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/924-1009-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2208-995-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2208-1008-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 64 IoCs

pid	Process
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Murmeldyret.exe"	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 396 set thread context of 2220	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	617
PID 2220 set thread context of 2208	2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	619
PID 2220 set thread context of 924	2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	620
PID 2220 set thread context of 1760	2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	621

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\russifier\stikprvestandardafvigelserne.lnk	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2208	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
2208	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2220	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2940	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	29
PID 396 wrote to memory of 2940	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	29
PID 396 wrote to memory of 2940	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	29
PID 396 wrote to memory of 2940	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	29
PID 396 wrote to memory of 2948	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	31
PID 396 wrote to memory of 2948	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	31
PID 396 wrote to memory of 2948	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	31
PID 396 wrote to memory of 2948	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	31
PID 396 wrote to memory of 1160	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	33
PID 396 wrote to memory of 1160	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	33
PID 396 wrote to memory of 1160	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	33
PID 396 wrote to memory of 1160	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	33
PID 396 wrote to memory of 3016	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	35
PID 396 wrote to memory of 3016	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	35
PID 396 wrote to memory of 3016	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	35
PID 396 wrote to memory of 3016	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	35
PID 396 wrote to memory of 2812	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	37
PID 396 wrote to memory of 2812	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	37
PID 396 wrote to memory of 2812	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	37
PID 396 wrote to memory of 2812	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	37
PID 396 wrote to memory of 2696	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	39
PID 396 wrote to memory of 2696	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	39
PID 396 wrote to memory of 2696	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	39
PID 396 wrote to memory of 2696	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	39
PID 396 wrote to memory of 2260	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	41
PID 396 wrote to memory of 2260	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	41
PID 396 wrote to memory of 2260	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	41
PID 396 wrote to memory of 2260	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	41
PID 396 wrote to memory of 108	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	43
PID 396 wrote to memory of 108	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	43
PID 396 wrote to memory of 108	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	43
PID 396 wrote to memory of 108	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	43
PID 396 wrote to memory of 2384	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	45
PID 396 wrote to memory of 2384	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	45
PID 396 wrote to memory of 2384	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	45
PID 396 wrote to memory of 2384	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	45
PID 396 wrote to memory of 2564	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	47
PID 396 wrote to memory of 2564	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	47
PID 396 wrote to memory of 2564	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	47
PID 396 wrote to memory of 2564	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	47
PID 396 wrote to memory of 2880	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	49
PID 396 wrote to memory of 2880	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	49
PID 396 wrote to memory of 2880	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	49
PID 396 wrote to memory of 2880	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	49
PID 396 wrote to memory of 2996	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	51
PID 396 wrote to memory of 2996	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	51
PID 396 wrote to memory of 2996	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	51
PID 396 wrote to memory of 2996	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	51
PID 396 wrote to memory of 3012	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	53
PID 396 wrote to memory of 3012	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	53
PID 396 wrote to memory of 3012	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	53
PID 396 wrote to memory of 3012	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	53
PID 396 wrote to memory of 2816	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	55
PID 396 wrote to memory of 2816	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	55
PID 396 wrote to memory of 2816	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	55
PID 396 wrote to memory of 2816	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	55
PID 396 wrote to memory of 2912	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	57
PID 396 wrote to memory of 2912	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	57
PID 396 wrote to memory of 2912	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	57
PID 396 wrote to memory of 2912	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	57
PID 396 wrote to memory of 2116	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	59
PID 396 wrote to memory of 2116	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	59
PID 396 wrote to memory of 2116	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	59
PID 396 wrote to memory of 2116	396	c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe	59

C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
"C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "220^177"
  2⤵
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "231^177"
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "226^177"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "155^177"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "194^177"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "230^177"
  2⤵
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "198^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
  "C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
    C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe /stext "C:\Users\Admin\AppData\Local\Temp\fgcrsoppwgudvnnazloscckoqdl"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
    C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe /stext "C:\Users\Admin\AppData\Local\Temp\hapctgzikomigtbeqojlepffzkvdrsn"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe
    C:\Users\Admin\AppData\Local\Temp\c62df0729acd9f8e1b3b922113242fc75a746b15d184cbbcf7a429fe4730bd98.exe /stext "C:\Users\Admin\AppData\Local\Temp\rcuuuzkkywenizxizzvnpusohqnmsdeflk"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
55ce9bfec261318569dd492bcd2a0707

SHA1
a399dc3ab1e8857d0833f48394788a01fec9b6cb

SHA256
9094db79fbbefa3abdf3c6a60d4c516b0e945036d6b01c25313146809337dbf9

SHA512
a2d076b988cf4ec2addad17afa69316a72dee5c7034bbbc48ca9754b2309fdfabd18acd1f819e089e97d931b9691789071b23de1f969921060344ec47db329a7

Download Submit
\Users\Admin\AppData\Local\Temp\nso1E3B.tmp\System.dll

Filesize
11KB

MD5
375e8a08471dc6f85f3828488b1147b3

SHA1
1941484ac710fc301a7d31d6f1345e32a21546af

SHA256
4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

SHA512
5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

Download Submit
\Users\Admin\AppData\Local\Temp\nso1E3B.tmp\nsExec.dll

Filesize
6KB

MD5
4bbc9d77ef7f748f8c85750c3a445f0a

SHA1
d57a8304bb44ccdb3163b880b3c1bb213461399d

SHA256
482536968672d70279a5204060ff84ace25237f24b1bdf3b02e289d50ea5450c

SHA512
b9430939daab0c8b7e77b96f2f7f85e8e1abd9f43eccbdf94078f77ef05b31a2a31f04ca3a2eff5aa7cc965029ed437af2eb100c197ef51f128ca827ad20e902

Download Submit
memory/396-966-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/924-992-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/924-990-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/924-994-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/924-1009-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/924-991-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1760-1001-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-998-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-997-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1760-996-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-989-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2208-1008-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2208-993-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2208-995-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2208-988-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2220-1015-0x0000000034C10000-0x0000000034C29000-memory.dmp

Filesize
100KB

Download
memory/2220-985-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-981-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-1011-0x0000000034C10000-0x0000000034C29000-memory.dmp

Filesize
100KB

Download
memory/2220-987-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-1014-0x0000000034C10000-0x0000000034C29000-memory.dmp

Filesize
100KB

Download
memory/2220-1017-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-1020-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-967-0x00000000014D0000-0x000000000383E000-memory.dmp

Filesize
35.4MB

Download
memory/2220-1023-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-1026-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-1029-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-1032-0x0000000000460000-0x00000000014C2000-memory.dmp

Filesize
16.4MB

Download