guloader | 1e0e3c62b986a132017f1eed4d4226de5511bdfe08124264a3b02d5098df14e1

General

Target

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Size

314KB
MD5

c7ceecb921d43912ec928af816a43ede
SHA1

2c4266ebdae98fc609ffb191cf26e85dc0671faa
SHA256

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86
SHA512

8b4ecfc89221af3d4dde2ab7effc288f9c9ddaba764b67acbde33fbc5c19d69e16d69c40f35de74e36f4eb12bdd2ffba44b702bea9d5249476dafc7f4f389e31
SSDEEP

6144:BXFKo5F4CtVeI8Y9BA6MA4ph2LN7LNNhEdMUjzz4elzC:BX54CVeI8Y9BA6uph2LN7LNNhTelO

Score

10^/10

guloader collection downloader persistence spyware stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2760-1809-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2760-1807-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2760-1823-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2640-1808-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-1806-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2640-1820-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1308-1813-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1308-1812-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2760-1809-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2640-1808-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2760-1807-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2640-1806-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1308-1814-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2640-1820-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2760-1823-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

QQ.exeQQ.exeQQ.exeQQ.exe

pid process

1468 QQ.exe
2640 QQ.exe
2760 QQ.exe
1308 QQ.exe

pid	process
1468	QQ.exe
2640	QQ.exe
2760	QQ.exe
1308	QQ.exe

Loads dropped DLL 64 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

pid	process
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

QQ.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts QQ.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	QQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	QQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	QQ.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exe

pid process

1772 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1772 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2528 QQ.exe
2528 QQ.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exeQQ.exe

pid process

1276 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1772 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1468 QQ.exe
2528 QQ.exe

pid	process
1772	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1772	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2528	QQ.exe
2528	QQ.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exeQQ.exe

description	pid	process	target process
PID 1276 set thread context of 1772	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
PID 1468 set thread context of 2528	1468	QQ.exe	QQ.exe
PID 2528 set thread context of 2640	2528	QQ.exe	QQ.exe
PID 2528 set thread context of 2760	2528	QQ.exe	QQ.exe
PID 2528 set thread context of 1308	2528	QQ.exe	QQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	QQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	QQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

QQ.exe

pid process

2640 QQ.exe
2640 QQ.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exeQQ.exe

pid process

1276 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
1468 QQ.exe
2528 QQ.exe
2528 QQ.exe
2528 QQ.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QQ.exe

description pid process

Token: SeDebugPrivilege 1308 QQ.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QQ.exe

pid process

2528 QQ.exe

pid	process
2640	QQ.exe
2640	QQ.exe

description	pid	process
Token: SeDebugPrivilege	1308	QQ.exe

pid	process
2528	QQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

description	pid	process	target process
PID 1276 wrote to memory of 2604	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2604	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2604	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2604	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2660	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2660	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2660	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2660	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2616	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2616	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2616	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2616	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 3004	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 3004	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 3004	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 3004	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2748	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2748	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2748	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2748	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2600	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2600	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2600	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2600	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2460	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2460	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2460	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2460	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2628	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2628	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2628	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2628	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1876	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1876	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1876	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1876	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1832	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1832	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1832	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1832	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1572	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1572	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1572	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1572	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2696	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2696	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2696	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 2696	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 372	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 372	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 372	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 372	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1016	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1016	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1016	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1016	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1288	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1288	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1288	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1288	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1996	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1996	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1996	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 1276 wrote to memory of 1996	1276	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
"C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
2⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
2⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
2⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
2⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:1808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1E^38"
2⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6D^38"
2⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x74^38"
2⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x68^38"
2⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6A^38"
2⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x70^38"
2⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
2⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0B^38"
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
2⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4D^38"
2⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
2⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x65^38"
2⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
2⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x76^38"
2⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
2⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
"C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
PID:1772

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
"C:\Users\Admin\AppData\Roaming\QQ\QQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
4⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
4⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
4⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
4⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
4⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
4⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
4⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
4⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
4⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
4⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
4⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
4⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1E^38"
4⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
4⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6D^38"
4⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
4⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x74^38"
4⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x68^38"
4⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
4⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6A^38"
4⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
4⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x70^38"
4⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
4⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
4⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
4⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
4⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0B^38"
4⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
4⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
4⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
4⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
4⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4D^38"
4⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
4⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
4⤵
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
4⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
4⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:2412

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
4⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
4⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
4⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
4⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
4⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x65^38"
4⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
4⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
4⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
4⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
4⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x76^38"
4⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
4⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:328

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:300

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:2600

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
"C:\Users\Admin\AppData\Roaming\QQ\QQ.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\vwwncnwncgquvknwalrvuhwxv"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2640

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\fykydghoqoizxybarwlwfuqgedts"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2760

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\pspqeysiexaehexebhyyqzlxfkdbjga"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7946318712806894235035598221146135321111332852882988661295319857724348103"
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13136240931272780483-1336701733-1113187072-692025218946311383350893357-321688053"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-308663526-258891821-418917333-413823750-480832855-503208908814586294-130793996"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "166873304322288571715882746441176565834154821353-19962843577790371061649235195"
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1150077586-838103145425647854-2018550550-1617574765275005231-98093471-576572175"
1⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
f9e6f10a75f12602939eaa28d4bef96a

SHA1
d747c53a1d97393099f12e6a52090856c0331b1b

SHA256
26f928f6380d8e845edbc77c43441689b82f4a9b4b5b59540f08f0e25bc2ea69

SHA512
140cf70ef27206195cf568e1d78b02c834165ac3fa645b8284132b3df0a522312fa7378316a1f8a256994a21bdb14883d535b54b8480a8fc6d653349c4db066c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE81.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDEB3.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1B2F.tmp\System.dll
Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1B2F.tmp\nsExec.dll
Filesize
7KB

MD5
b4579bc396ace8cafd9e825ff63fe244

SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

Download Submit
memory/1308-1811-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-1814-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-1810-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-1813-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1308-1812-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1772-954-0x00000000014E0000-0x00000000035D2000-memory.dmp

Filesize
32.9MB

Download
memory/1772-959-0x00000000014E0000-0x00000000035D2000-memory.dmp

Filesize
32.9MB

Download
memory/2528-1799-0x00000000014E0000-0x00000000035D2000-memory.dmp

Filesize
32.9MB

Download
memory/2528-1825-0x0000000033460000-0x0000000033479000-memory.dmp

Filesize
100KB

Download
memory/2528-1828-0x0000000033460000-0x0000000033479000-memory.dmp

Filesize
100KB

Download
memory/2528-1829-0x0000000033460000-0x0000000033479000-memory.dmp

Filesize
100KB

Download
memory/2640-1806-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2640-1804-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2640-1820-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2640-1808-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2640-1802-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2760-1805-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2760-1803-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2760-1823-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2760-1809-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2760-1807-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads