guloader | 21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
Size

609KB
MD5

caef1be333db06e88325e3cf82c27fe1
SHA1

24d30b606727d8739c0fcd8f5d0d6c76dfdf7a3c
SHA256

21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda
SHA512

e93bb19b775af0d2928230baa2541f538adb72ff51ff0b8d92cc7c3bcbbbdef6535729d22c190d0b914c281dc1479364745cb073e43ecc0e6ab8af45ca94da3b
SSDEEP

12288:n/v3K20gS7RPJddE9MVl01amNw3I372nX2ixR5dwG36OoZf+:n/CWS7XoKmNw3s2nh5dVKON

Score

10^/10

guloader remcos remotehost discovery downloader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

kezdns.pro:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-FUHBXG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Loads dropped DLL 64 IoCs

pid	Process
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1760	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
1760	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1528 set thread context of 1760	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	678

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Scrimmaged74\vejrkort.inc	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
File opened for modification	C:\Windows\resources\0409\leperdom.rel	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4596	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	85
PID 1528 wrote to memory of 4596	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	85
PID 1528 wrote to memory of 4596	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	85
PID 1528 wrote to memory of 3428	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	88
PID 1528 wrote to memory of 3428	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	88
PID 1528 wrote to memory of 3428	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	88
PID 1528 wrote to memory of 3496	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	90
PID 1528 wrote to memory of 3496	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	90
PID 1528 wrote to memory of 3496	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	90
PID 1528 wrote to memory of 4104	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	92
PID 1528 wrote to memory of 4104	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	92
PID 1528 wrote to memory of 4104	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	92
PID 1528 wrote to memory of 2152	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	94
PID 1528 wrote to memory of 2152	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	94
PID 1528 wrote to memory of 2152	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	94
PID 1528 wrote to memory of 4552	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	96
PID 1528 wrote to memory of 4552	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	96
PID 1528 wrote to memory of 4552	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	96
PID 1528 wrote to memory of 116	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	98
PID 1528 wrote to memory of 116	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	98
PID 1528 wrote to memory of 116	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	98
PID 1528 wrote to memory of 1876	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	100
PID 1528 wrote to memory of 1876	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	100
PID 1528 wrote to memory of 1876	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	100
PID 1528 wrote to memory of 2968	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	102
PID 1528 wrote to memory of 2968	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	102
PID 1528 wrote to memory of 2968	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	102
PID 1528 wrote to memory of 2644	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	104
PID 1528 wrote to memory of 2644	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	104
PID 1528 wrote to memory of 2644	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	104
PID 1528 wrote to memory of 4724	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	106
PID 1528 wrote to memory of 4724	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	106
PID 1528 wrote to memory of 4724	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	106
PID 1528 wrote to memory of 1880	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	108
PID 1528 wrote to memory of 1880	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	108
PID 1528 wrote to memory of 1880	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	108
PID 1528 wrote to memory of 4080	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	110
PID 1528 wrote to memory of 4080	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	110
PID 1528 wrote to memory of 4080	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	110
PID 1528 wrote to memory of 4164	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	112
PID 1528 wrote to memory of 4164	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	112
PID 1528 wrote to memory of 4164	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	112
PID 1528 wrote to memory of 5036	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	114
PID 1528 wrote to memory of 5036	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	114
PID 1528 wrote to memory of 5036	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	114
PID 1528 wrote to memory of 4468	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	116
PID 1528 wrote to memory of 4468	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	116
PID 1528 wrote to memory of 4468	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	116
PID 1528 wrote to memory of 4744	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	118
PID 1528 wrote to memory of 4744	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	118
PID 1528 wrote to memory of 4744	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	118
PID 1528 wrote to memory of 3236	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	120
PID 1528 wrote to memory of 3236	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	120
PID 1528 wrote to memory of 3236	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	120
PID 1528 wrote to memory of 4560	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	122
PID 1528 wrote to memory of 4560	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	122
PID 1528 wrote to memory of 4560	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	122
PID 1528 wrote to memory of 3536	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	124
PID 1528 wrote to memory of 3536	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	124
PID 1528 wrote to memory of 3536	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	124
PID 1528 wrote to memory of 2580	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	126
PID 1528 wrote to memory of 2580	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	126
PID 1528 wrote to memory of 2580	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	126
PID 1528 wrote to memory of 2572	1528	21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe	128

C:\Users\Admin\AppData\Local\Temp\21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
"C:\Users\Admin\AppData\Local\Temp\21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  PID:4724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:4164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:5036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:4468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:4744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "220^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:4384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:4800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:4108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:4420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:4676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:4904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "231^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "136^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "136^177"
  2⤵
  PID:3760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:4500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:4440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:3304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:4652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:4904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:4196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "226^177"
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:4292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:4012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:4800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:4980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "136^177"
  2⤵
  PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "136^177"
  2⤵
  PID:4800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "155^177"
  2⤵
  PID:624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "194^177"
  2⤵
  PID:4024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:4732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  PID:4348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:4656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "230^177"
  2⤵
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "198^177"
  2⤵
  PID:4968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:4804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:3932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:4588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:4456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe
  "C:\Users\Admin\AppData\Local\Temp\21bca3ed380aff98138bc26cc631cfaa7eedd098e3da694e8eef350b23afceda.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx8C82.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8C82.tmp\nsExec.dll

Filesize
6KB

MD5
5aa38904acdcc21a2fb8a1d30a72d92f

SHA1
a9ce7d1456698921791db91347dba0489918d70c

SHA256
10675f13abaee592f14382349aa35d82fb52aab4e27eef61d0c83dec1f6b73da

SHA512
f04740da561d7cd0dea5e839c9e1c339d4a3e63944d3566c94c921a3d170a69918a32dff3f3b43f13d55cc25a2dbb4c21104f062c324308ac5104179766402a3

Download Submit
memory/1528-667-0x0000000074C85000-0x0000000074C86000-memory.dmp

Filesize
4KB

Download
memory/1760-668-0x00000000016C0000-0x0000000004249000-memory.dmp

Filesize
43.5MB

Download
memory/1760-672-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-673-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-677-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-678-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-679-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-680-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-681-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-682-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-683-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-684-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/1760-685-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download