guloader | 1e0e3c62b986a132017f1eed4d4226de5511bdfe08124264a3b02d5098df14e1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Size

314KB
MD5

c7ceecb921d43912ec928af816a43ede
SHA1

2c4266ebdae98fc609ffb191cf26e85dc0671faa
SHA256

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86
SHA512

8b4ecfc89221af3d4dde2ab7effc288f9c9ddaba764b67acbde33fbc5c19d69e16d69c40f35de74e36f4eb12bdd2ffba44b702bea9d5249476dafc7f4f389e31
SSDEEP

6144:BXFKo5F4CtVeI8Y9BA6MA4ph2LN7LNNhEdMUjzz4elzC:BX54CVeI8Y9BA6uph2LN7LNNhTelO

Score

10^/10

guloader collection downloader persistence spyware stealer

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4984-1204-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/4984-1207-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4460-1203-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4460-1206-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4460-1219-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4984-1204-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4460-1203-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/5740-1213-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5740-1216-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5740-1215-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4984-1207-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4460-1206-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4460-1219-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

Executes dropped EXE 4 IoCs

Processes:

QQ.exeQQ.exeQQ.exeQQ.exe

pid process

4844 QQ.exe
4460 QQ.exe
4984 QQ.exe
5740 QQ.exe

pid	process
4844	QQ.exe
4460	QQ.exe
4984	QQ.exe
5740	QQ.exe

Loads dropped DLL 64 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

pid	process
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

QQ.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts QQ.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	QQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	QQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	QQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-R6CJUW = "\"C:\\Users\\Admin\\AppData\\Roaming\\QQ\\QQ.exe\""	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exe

pid process

2912 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2912 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
4048 QQ.exe
4048 QQ.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exeQQ.exe

pid process

2712 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2912 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
4844 QQ.exe
4048 QQ.exe

pid	process
2912	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
2912	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
4048	QQ.exe
4048	QQ.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exeQQ.exe

description	pid	process	target process
PID 2712 set thread context of 2912	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
PID 4844 set thread context of 4048	4844	QQ.exe	QQ.exe
PID 4048 set thread context of 4460	4048	QQ.exe	QQ.exe
PID 4048 set thread context of 4984	4048	QQ.exe	QQ.exe
PID 4048 set thread context of 5740	4048	QQ.exe	QQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

QQ.exeQQ.exe

pid process

4460 QQ.exe
4460 QQ.exe
5740 QQ.exe
5740 QQ.exe
4460 QQ.exe
4460 QQ.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exeQQ.exeQQ.exe

pid process

2712 144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
4844 QQ.exe
4048 QQ.exe
4048 QQ.exe
4048 QQ.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QQ.exe

description pid process

Token: SeDebugPrivilege 5740 QQ.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QQ.exe

pid process

4048 QQ.exe

pid	process
4460	QQ.exe
4460	QQ.exe
5740	QQ.exe
5740	QQ.exe
4460	QQ.exe
4460	QQ.exe

description	pid	process
Token: SeDebugPrivilege	5740	QQ.exe

pid	process
4048	QQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe

description	pid	process	target process
PID 2712 wrote to memory of 3020	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3020	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3020	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5616	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5616	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5616	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 4736	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 4736	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 4736	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5572	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5572	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5572	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2248	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2248	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2248	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5664	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5664	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5664	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5196	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5196	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5196	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5696	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5696	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5696	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2356	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2356	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2356	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3888	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3888	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3888	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 996	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 996	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 996	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2184	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2184	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2184	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 956	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 956	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 956	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 4564	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 4564	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 4564	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5960	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5960	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5960	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 1656	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 1656	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 1656	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2524	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2524	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2524	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3504	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3504	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 3504	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2596	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2596	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2596	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2364	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2364	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 2364	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 1120	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 1120	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 1120	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe
PID 2712 wrote to memory of 5256	2712	144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
"C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:5616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
2⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
2⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
2⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:5768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:5688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:3200

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:5184

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:5584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
2⤵
PID:5284

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:6060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5980

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:6052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1E^38"
2⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5800

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:5444

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6D^38"
2⤵
PID:5776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:6004

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x74^38"
2⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x68^38"
2⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:5148

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6A^38"
2⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5940

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x70^38"
2⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
2⤵
PID:5692

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
2⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5740

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0B^38"
2⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:6124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:5752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:5380

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
2⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
2⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:6124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:5624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4D^38"
2⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:6104

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:5852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:5124

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:5512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
2⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
2⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:5808

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:6072

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
2⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
2⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:5624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
2⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
2⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
2⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:5668

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
2⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
2⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:6076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
2⤵
PID:5952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
2⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
2⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5300

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
2⤵
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
2⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
2⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x65^38"
2⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
2⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:6104

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
2⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
2⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
2⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
2⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:728

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
2⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x76^38"
2⤵
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:4840

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
2⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
2⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
2⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
2⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
2⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
2⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:5944

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
2⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
2⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
2⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
2⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
2⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
2⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe
"C:\Users\Admin\AppData\Local\Temp\144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2912

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
"C:\Users\Admin\AppData\Roaming\QQ\QQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
4⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:5656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:5292

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
4⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
4⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
4⤵
PID:5708

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
4⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
4⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
4⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
4⤵
PID:5972

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
4⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:5396

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
4⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:5460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
4⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
4⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:5368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
4⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:5552

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:5752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1E^38"
4⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5384

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:5852

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
4⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:5968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5252

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:5224

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6D^38"
4⤵
PID:716

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
4⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x74^38"
4⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x68^38"
4⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
4⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x6A^38"
4⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
4⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:5788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x70^38"
4⤵
PID:6140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:5996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
4⤵
PID:5752

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:5376

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x63^38"
4⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5960

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0B^38"
4⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
4⤵
PID:5316

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:5672

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5288

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5E^38"
4⤵
PID:5824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:6056

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:5992

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:644

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5952

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x56^38"
4⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
4⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:5956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
4⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:4108

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:5688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4D^38"
4⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5536

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
4⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x17^38"
4⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1F^38"
4⤵
PID:5624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:3168

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:6000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x11^38"
4⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:5632

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4B^38"
4⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x50^38"
4⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x52^38"
4⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x08^38"
4⤵
PID:5956

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x79^38"
4⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:5324

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:5640

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:6060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x13^38"
4⤵
PID:5176

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x10^38"
4⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
4⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
4⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
4⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:5468

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
4⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x65^38"
4⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x47^38"
4⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4A^38"
4⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x71^38"
4⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x48^38"
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x42^38"
4⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x51^38"
4⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x76^38"
4⤵
PID:5336

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x49^38"
4⤵
PID:5312

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x45^38"
4⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x67^38"
4⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0E^38"
4⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
4⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x12^38"
4⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5780

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5712

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:6024

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5532

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:5980

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0A^38"
4⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4F^38"
4⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x06^38"
4⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x16^38"
4⤵
PID:5968

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x0F^38"
4⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x5F^38"
4⤵
PID:5832

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
"C:\Users\Admin\AppData\Roaming\QQ\QQ.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\eelxsmpzfzqwszxyelkxui"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\oyqpteaathibcntcnoxzfnfgz"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4984

C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe /stext "C:\Users\Admin\AppData\Local\Temp\yavauxkuhpbnethgezjaiazpicwxc"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5740

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
97f9631c3a015273ebe1212441784cc4

SHA1
e65eeb7314f374132d61e29e01696dd14f43794a

SHA256
bb829451aa735fe1b7442ac4fa2a62c8408edb3ef750735dcadfed1e5ba86377

SHA512
4f117d5b6b898a435b2657587f36731a4fb42065ee8e3daed039839b004366eb60d8bf5764b06a6485e7b7fa7b6034fe5676d33d80c08ad1d86c3d780cccb6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg493F.tmp\System.dll
Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg493F.tmp\nsExec.dll
Filesize
7KB

MD5
b4579bc396ace8cafd9e825ff63fe244

SHA1
32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c

SHA256
01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b

SHA512
3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

Download Submit
C:\Users\Admin\AppData\Roaming\QQ\QQ.exe
Filesize
314KB

MD5
c7ceecb921d43912ec928af816a43ede

SHA1
2c4266ebdae98fc609ffb191cf26e85dc0671faa

SHA256
144540da6bfc395bdd8726b156099a7f7b27240321424411ba8af877cbdcbe86

SHA512
8b4ecfc89221af3d4dde2ab7effc288f9c9ddaba764b67acbde33fbc5c19d69e16d69c40f35de74e36f4eb12bdd2ffba44b702bea9d5249476dafc7f4f389e31

Download Submit
memory/2912-629-0x00000000016D0000-0x00000000037C2000-memory.dmp

Filesize
32.9MB

Download
memory/2912-639-0x00000000016D0000-0x00000000037C2000-memory.dmp

Filesize
32.9MB

Download
memory/4048-1224-0x00000000347A0000-0x00000000347B9000-memory.dmp

Filesize
100KB

Download
memory/4048-1197-0x00000000016D0000-0x00000000037C2000-memory.dmp

Filesize
32.9MB

Download
memory/4048-1221-0x00000000347A0000-0x00000000347B9000-memory.dmp

Filesize
100KB

Download
memory/4048-1225-0x00000000347A0000-0x00000000347B9000-memory.dmp

Filesize
100KB

Download
memory/4460-1199-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4460-1203-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4460-1200-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4460-1219-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4460-1206-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4984-1201-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4984-1207-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4984-1202-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4984-1204-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5740-1209-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5740-1215-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5740-1216-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5740-1213-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5740-1208-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download