guloader | e4eae60e94508ef4d6d731be014afe6dd143b5b683e4cd9459d84db208249648

General

Target

SCAN00381638.vbe
Size

646KB
MD5

877d62bb0a3ca04372a89f1fd63aa517
SHA1

abb9619743f94df8ee35bcb29e08a33f49acc91a
SHA256

411d7a0d9d268daa710bbd8af48825e3227be7ed743c50c68afc05b71a940e83
SHA512

072e1b5ebf6aa76ee374d94b5d9f066c3f2c922808a646768234bf8cae9c62b55a82fa4e18ab860f7ffb5b31a625619991feaa3a82bc8fc7a3712b38cbbcf7ae
SSDEEP

12288:NuXAeUMRwhbVmNmN7wNL4NBN3rNrx9V0NnNcN/v3gRN6fyNMNIN3NLojSAfp+J1/:T4Rwhb79SyV7R1AIJTaud62Q

Score

10^/10

guloader collection downloader persistence spyware stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2856-1969-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2856-1967-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2856-1988-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2816-1966-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2816-1968-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2816-1980-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2816-1966-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2856-1969-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2816-1968-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2856-1967-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1380-1973-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1380-1974-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2816-1980-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2856-1988-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

x.exeQQ.exeQQ.exeQQ.exeQQ.exe

pid process

2184 x.exe
2864 QQ.exe
2816 QQ.exe
2856 QQ.exe
1380 QQ.exe

Loads dropped DLL 64 IoCs

Processes:

x.exe

pid	process
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe
2184	x.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

QQ.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts QQ.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	QQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x.exeQQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	QQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	QQ.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

x.exeQQ.exe

pid process

716 x.exe
716 x.exe
2336 QQ.exe
2336 QQ.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

x.exex.exeQQ.exeQQ.exe

pid process

2184 x.exe
716 x.exe
2864 QQ.exe
2336 QQ.exe

pid	process
716	x.exe
716	x.exe
2336	QQ.exe
2336	QQ.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

x.exeQQ.exeQQ.exe

description	pid	process	target process
PID 2184 set thread context of 716	2184	x.exe	x.exe
PID 2864 set thread context of 2336	2864	QQ.exe	QQ.exe
PID 2336 set thread context of 2816	2336	QQ.exe	QQ.exe
PID 2336 set thread context of 2856	2336	QQ.exe	QQ.exe
PID 2336 set thread context of 1380	2336	QQ.exe	QQ.exe

Drops file in Windows directory 6 IoCs

Processes:

x.exeQQ.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\sanitetstjenesten.par	x.exe
File opened for modification	C:\Windows\resources\gokke\empacket.bru	QQ.exe
File opened for modification	C:\Windows\resources\Informationssgningers.par	QQ.exe
File opened for modification	C:\Windows\Fonts\sanitetstjenesten.par	QQ.exe
File opened for modification	C:\Windows\resources\gokke\empacket.bru	x.exe
File opened for modification	C:\Windows\resources\Informationssgningers.par	x.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

x.exeQQ.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	x.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	QQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	QQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	x.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	x.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

QQ.exe

pid process

2816 QQ.exe
2816 QQ.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

x.exeQQ.exeQQ.exe

pid process

2184 x.exe
2864 QQ.exe
2336 QQ.exe
2336 QQ.exe
2336 QQ.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QQ.exe

description pid process

Token: SeDebugPrivilege 1380 QQ.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QQ.exe

pid process

2336 QQ.exe

pid	process
2816	QQ.exe
2816	QQ.exe

description	pid	process
Token: SeDebugPrivilege	1380	QQ.exe

pid	process
2336	QQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exex.exe

description	pid	process	target process
PID 2408 wrote to memory of 2184	2408	WScript.exe	x.exe
PID 2408 wrote to memory of 2184	2408	WScript.exe	x.exe
PID 2408 wrote to memory of 2184	2408	WScript.exe	x.exe
PID 2408 wrote to memory of 2184	2408	WScript.exe	x.exe
PID 2184 wrote to memory of 2796	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2796	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2796	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2796	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2972	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2972	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2972	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2972	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2984	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2984	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2984	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2984	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2324	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2324	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2324	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2324	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2420	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2420	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2420	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2420	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2172	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2172	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2172	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2172	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2676	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2676	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2676	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2676	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1588	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1588	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1588	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1588	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1636	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1636	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1636	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1636	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2304	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2304	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2304	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 2304	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 612	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 612	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 612	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 612	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 268	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 268	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 268	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 268	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1292	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1292	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1292	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1292	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1200	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1200	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1200	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1200	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1128	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1128	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1128	2184	x.exe	cmd.exe
PID 2184 wrote to memory of 1128	2184	x.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SCAN00381638.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
3⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
3⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
3⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
3⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
3⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
3⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
3⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
3⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
3⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
3⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
3⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
3⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
3⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
3⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
3⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
3⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
3⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
3⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
3⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
3⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
3⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
3⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
3⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
3⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1E^38"
3⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
3⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
3⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
3⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
3⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
3⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6D^38"
3⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
3⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x74^38"
3⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x68^38"
3⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
3⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6A^38"
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
3⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
3⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x70^38"
3⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
3⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
3⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
3⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
3⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
3⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
3⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
3⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
3⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
3⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0B^38"
3⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
3⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
3⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
3⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
3⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
3⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
3⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
3⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
3⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
3⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
3⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
3⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
3⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
3⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
3⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
3⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
3⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
3⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
3⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
3⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4D^38"
3⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
3⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
3⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
3⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
3⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
3⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
3⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
3⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
3⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
3⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
3⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
3⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
3⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
3⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
3⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
3⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
3⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
3⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
3⤵
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
3⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
3⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
3⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
3⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
3⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
3⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
3⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
3⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
3⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
3⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
3⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
3⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x65^38"
3⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
3⤵
PID:2940

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
3⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
3⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
3⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
3⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x76^38"
3⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
3⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
3⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
3⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
3⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
3⤵
PID:276

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
3⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
3⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
3⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
3⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
3⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
3⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
3⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\x.exe
"C:\Users\Admin\AppData\Local\Temp\x.exe"
3⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:716

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
"C:\Users\Admin\AppData\Roaming\QQ\QQ.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
5⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
5⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
5⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
5⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
5⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
5⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
5⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
5⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
5⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
5⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
5⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
5⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
5⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
5⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
5⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
5⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
5⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
5⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
5⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
5⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
5⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
5⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
5⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
5⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
5⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
5⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
5⤵
PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
5⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
5⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
5⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
5⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1E^38"
5⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
5⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
5⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
5⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
5⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
5⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
5⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6D^38"
5⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
5⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x74^38"
5⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x68^38"
5⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
5⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6A^38"
5⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
5⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
5⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x70^38"
5⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
5⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
5⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
5⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
5⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
5⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
5⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
5⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
5⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
5⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0B^38"
5⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
5⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
5⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
5⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
5⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
5⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
5⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
5⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
5⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
5⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
5⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
5⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
5⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
5⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
5⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
5⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
5⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
5⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
5⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
5⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
5⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
5⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
5⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4D^38"
5⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
5⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
5⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
5⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
5⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
5⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
5⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
5⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
5⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
5⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
5⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
5⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
5⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
5⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
5⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
5⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
5⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
5⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
5⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
5⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
5⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
5⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
5⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
5⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
5⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
5⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
5⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
5⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
5⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
5⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
5⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
5⤵
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
5⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
5⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
5⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
5⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x65^38"
5⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
5⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
5⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
5⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
5⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
5⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
5⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
5⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x76^38"
5⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
5⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
5⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
5⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
5⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
5⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
5⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:360

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
5⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
5⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
5⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
5⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
5⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
5⤵
PID:1728

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
"C:\Users\Admin\AppData\Roaming\QQ\QQ.exe"
5⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybepywwmahfqrgynmqhiblwmdrg"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\idrhyohfopxdunmzdbubeqjcmxqrdcb"
6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2856

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\txwazzshcxpiebidmlodpcdtumiaenzywh"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
8cab61579520d48753d4ada793ce8b30

SHA1
3e74815f87f8336ec4005bb30c0c0fc7b526c980

SHA256
d7fec49da783e45a3be2ccd968d7a38905388ea02c10c311bd747a0a9d6b8e15

SHA512
3dfdfd2554038ae2f3d2b231859c2f32e600924961a1f4600820d54fd63478fca00afdda271e539eb99609050d80befed5ccb9937075a3b61f8754b0751e5062

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF07.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
469KB

MD5
9698e5ebed702eb7a5045811c60a3bc9

SHA1
07f394eaa3d0cfdf0933093775062cce0792129b

SHA256
ddaf4a30fd1d9a4c74f1ae8842a6b0bb2053d9cfdcbcf9b7ad8122561658518a

SHA512
a7f4acc934de58d4f3e203ef764c834ca41afe741ae5f596ed337225886d14052488d8428e34f8a5e28343cc9cbf5114c44c9f089f9675ba8fbb48171cd52a5e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3035.tmp\System.dll
Filesize
12KB

MD5
6c38da8922cc37b4bbb77de4a63ad843

SHA1
4e0533fd11df8bddbd543ed58df7b6060d9f4631

SHA256
1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1

SHA512
ad0be3d7e57da9c304e9b9cac5341b6c76b157456ab44f5579d6c38c830a31c9c3e1e9a875b8f465243c607ea2ede6b0bb77237f17a70a4d4c78606e036c3430

Download Submit
\Users\Admin\AppData\Local\Temp\nsi3035.tmp\nsExec.dll
Filesize
7KB

MD5
052099395689171cf64bf4a868e6a9be

SHA1
9581e80b223226eee5f726f38b3e966fdc5bbfad

SHA256
99fc8f647bfff3655dcd4ec577d79ec4102fb3a68b567282ba0b51e0b5262802

SHA512
f45e38314e10129d3cceaefa918b25a432c67db8bf73f110a6957ca7f5cc96db749601fed550e0357bf67c84de2721d9692b8785c295fc7a1537b42c68b461a9

Download Submit
memory/716-1040-0x0000000001880000-0x0000000002F25000-memory.dmp

Filesize
22.6MB

Download
memory/716-1041-0x0000000000810000-0x0000000001872000-memory.dmp

Filesize
16.4MB

Download
memory/716-1035-0x0000000001880000-0x0000000002F25000-memory.dmp

Filesize
22.6MB

Download
memory/1380-1971-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1380-1972-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1380-1974-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1380-1973-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2336-1983-0x0000000032A90000-0x0000000032AA9000-memory.dmp

Filesize
100KB

Download
memory/2336-1987-0x0000000032A90000-0x0000000032AA9000-memory.dmp

Filesize
100KB

Download
memory/2336-1959-0x0000000001880000-0x0000000002F25000-memory.dmp

Filesize
22.6MB

Download
memory/2336-1986-0x0000000032A90000-0x0000000032AA9000-memory.dmp

Filesize
100KB

Download
memory/2816-1964-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2816-1962-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2816-1966-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2816-1980-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2816-1968-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2856-1969-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2856-1963-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2856-1965-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2856-1988-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2856-1967-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads