snakekeylogger | 449bf249c170a1b3275c2a3ed45292244ecb49bf3be24ccef3809330de252d90

General

Target

PURCHASE DRAFT 01072024.exe
Size

467KB
MD5

29e1467e979c85abfbdd3da6b09e6c16
SHA1

9cfa0ebefbc7ae0a2a87c255cae34c9e3ce239c5
SHA256

449bf249c170a1b3275c2a3ed45292244ecb49bf3be24ccef3809330de252d90
SHA512

00d7f1882e48222a94107b01734c4225461c28b39e7ff67597061360a1965b278962d3020406f4bcd6d38609d61e687f1b17e4f11735fc98697252bf0b17d79b
SSDEEP

6144:Ddnrsfcv+Q3KGZ+tJm5RliVL4KciREqBQPzF+eanHuU0LIyv5Vl0xq:KgkXm5zibmqBQPzEeqOUgHxB

Score

10^/10

snakekeylogger collection evasion keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7169426142:AAG_Nuf4vFdD3YALIW-rE-UaNUDVey15SPM/sendMessage?chat_id=1545867115

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2464-691-0x0000000000480000-0x00000000016D4000-memory.dmp	family_snakekeylogger
behavioral2/memory/2464-692-0x0000000000480000-0x00000000004A6000-memory.dmp	family_snakekeylogger

Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

REG.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" REG.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	REG.exe

Loads dropped DLL 64 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

pid	process
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe
4984	PURCHASE DRAFT 01072024.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

PURCHASE DRAFT 01072024.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE DRAFT 01072024.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE DRAFT 01072024.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE DRAFT 01072024.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

38 drive.google.com
37 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 checkip.dyndns.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

pid process

2464 PURCHASE DRAFT 01072024.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

PURCHASE DRAFT 01072024.exePURCHASE DRAFT 01072024.exe

pid process

4984 PURCHASE DRAFT 01072024.exe
2464 PURCHASE DRAFT 01072024.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

description pid process target process

PID 4984 set thread context of 2464 4984 PURCHASE DRAFT 01072024.exe PURCHASE DRAFT 01072024.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

4552 REG.exe

flow	ioc
38	drive.google.com
37	drive.google.com

flow	ioc
50	checkip.dyndns.org

description	pid	process	target process
PID 4984 set thread context of 2464	4984	PURCHASE DRAFT 01072024.exe	PURCHASE DRAFT 01072024.exe

pid	process
4552	REG.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

pid	process
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe
2464	PURCHASE DRAFT 01072024.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

pid process

4984 PURCHASE DRAFT 01072024.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

description pid process

Token: SeDebugPrivilege 2464 PURCHASE DRAFT 01072024.exe

description	pid	process
Token: SeDebugPrivilege	2464	PURCHASE DRAFT 01072024.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

description	pid	process	target process
PID 4984 wrote to memory of 1284	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1284	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1284	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2068	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2068	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2068	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4416	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4416	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4416	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1548	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1548	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1548	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4076	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4076	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4076	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3528	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3528	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3528	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4728	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4728	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4728	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3336	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3336	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3336	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3716	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3716	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3716	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2544	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2544	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2544	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2172	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2172	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2172	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 840	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 840	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 840	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4852	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4852	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4852	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4512	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4512	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 4512	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2884	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2884	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2884	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1896	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1896	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1896	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3504	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3504	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 3504	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1400	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1400	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1400	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2316	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2316	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2316	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1484	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1484	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 1484	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2896	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2896	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2896	4984	PURCHASE DRAFT 01072024.exe	cmd.exe
PID 4984 wrote to memory of 2364	4984	PURCHASE DRAFT 01072024.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE DRAFT 01072024.exe

outlook_win_path 1 IoCs

Processes:

PURCHASE DRAFT 01072024.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PURCHASE DRAFT 01072024.exe

C:\Users\Admin\AppData\Local\Temp\PURCHASE DRAFT 01072024.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE DRAFT 01072024.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "250^177"
2⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "227^177"
2⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "255^177"
2⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "253^177"
2⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
2⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "242^177"
2⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "208^177"
2⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "197^177"
2⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "247^177"
2⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "240^177"
2⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "153^177"
2⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "220^177"
2⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "133^177"
2⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:3260

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "201^177"
2⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "137^177"
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "193^177"
2⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "133^177"
2⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "201^177"
2⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "137^177"
2⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "152^177"
2⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "159^177"
2⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "132^177"
2⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "141^177"
2⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "250^177"
2⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "227^177"
2⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "255^177"
2⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "253^177"
2⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
2⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "231^177"
2⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "197^177"
2⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "196^177"
2⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "208^177"
2⤵
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "240^177"
2⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "222^177"
2⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "210^177"
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "153^177"
2⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "128^177"
2⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "128^177"
2⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "132^177"
2⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "134^177"
2⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "132^177"
2⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
2⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "136^177"
2⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "135^177"
2⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3344

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "201^177"
2⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4204

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "201^177"
2⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "133^177"
2⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "152^177"
2⤵
PID:3312

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "193^177"
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "159^177"
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "128^177"
2⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "141^177"
2⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "250^177"
2⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "227^177"
2⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "255^177"
2⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "253^177"
2⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
2⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "226^177"
2⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "197^177"
2⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "247^177"
2⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "225^177"
2⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "222^177"
2⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "223^177"
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "197^177"
2⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "153^177"
2⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "132^177"
2⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "135^177"
2⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "134^177"
2⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "134^177"
2⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:3704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "152^177"
2⤵
PID:5092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "159^177"
2⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "141^177"
2⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "250^177"
2⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "227^177"
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "255^177"
2⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
2⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "253^177"
2⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
2⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "227^177"
2⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "208^177"
2⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "213^177"
2⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "247^177"
2⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "153^177"
2⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "132^177"
2⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "128^177"
2⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "128^177"
2⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "128^177"
2⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "132^177"
2⤵
PID:4884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "134^177"
2⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "132^177"
2⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
2⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "136^177"
2⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "135^177"
2⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "155^177"
2⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "152^177"
2⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "159^177"
2⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "141^177"
2⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "196^177"
2⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "194^177"
2⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
2⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
2⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
2⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
2⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "242^177"
2⤵
PID:4412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "208^177"
2⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
2⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "230^177"
2⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "223^177"
2⤵
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "213^177"
2⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "222^177"
2⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "198^177"
2⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "225^177"
2⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "222^177"
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "210^177"
2⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "240^177"
2⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "153^177"
2⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
2⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "128^177"
2⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:3644

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
2⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
2⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
2⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
2⤵
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "152^177"
2⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "141^177"
2⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\PURCHASE DRAFT 01072024.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE DRAFT 01072024.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2464

C:\Windows\SysWOW64\REG.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:4552

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\Banner.dll
Filesize
3KB

MD5
71eab837b047124129461cb97f39745b

SHA1
6af00ad38ee73303b39970c96859ab6fe7cae584

SHA256
46cbb2797870de12aaac717da5c9bb9e2fab20d42e562d6c3925865caea2e81b

SHA512
66aa810dc1cd6e8e45ddd62ac88a4999b1b9a3c61aded5054ac8374d2ef5403021fa6bb104eb75c1f6ff4fdde5bc026f00c83dcb166febaaa47bebae0366276e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\System.dll
Filesize
11KB

MD5
10e8921a6e7f6a74671b07dc3bde626f

SHA1
b7961066600ef193c5319dbeed3673dc60110a50

SHA256
c85142f86e1ec02f7ef8d5ba31b22031de3de9a16bce519d5482b824afb277eb

SHA512
4c19a7e3117baeec3f6a7f9a33cfab392255741137406db87fe5ac24def7f9a28b2ed0fc26f0f46c5d43ba1bb6675dea74410a797bfd265e38812b042460aa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\UserInfo.dll
Filesize
3KB

MD5
3840a8875ee86c83b57b6e8eca96b013

SHA1
aeb5cd350b9bcc2e2903cf35da550e1223efead6

SHA256
b99a9f1783fa8156ce4480367e7b059b949fe083dbe66c7dc03e6bcc16f83f8b

SHA512
d0d1ebe62916b2e36664256f7e3d1009f8a928bccf0775943f6416255942fb5ac016b8459fc8fb91fd2a3ffb3272e3350578f12e1b5b40a44095ba6fc6f861c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\nsDialogs.dll
Filesize
9KB

MD5
800aa26b2eb417363bf7ec155cd6c845

SHA1
eaec626eefb36850a90c3ffaa7eab1b8750aad1d

SHA256
c40817e6948ff1b6e1983ef9dd4f21394a81336e9fe2aea826eafe02a8df047e

SHA512
2714bbaa04f481ac6fd83f64106688299d34e6af33d3e13b890c1ca72b0570b9867d427deaab48ae1ee3fe836976f9ac4dac12feb1624787b6fb2787c8db9577

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse69D8.tmp\nsExec.dll
Filesize
6KB

MD5
520d07e4bdab538c87b797d687717639

SHA1
569e5afdeee3cd6b2a77f715828ccb97b470f5fa

SHA256
9bf2482d0cdd486e1ec6d21eec00ac95538a7513a7f3c3ba117f7bf21a2b8f2d

SHA512
2302618d7b22913b11b1127378109f476de60f4231de377c5d0509b332e47efc12ca3294f3b36621eb7eb5b62b0a9ca98b5ef9692a807de58efd753594ab0185

Download Submit
memory/2464-691-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/2464-692-0x0000000000480000-0x00000000004A6000-memory.dmp

Filesize
152KB

Download
memory/2464-693-0x0000000034DF0000-0x0000000035394000-memory.dmp

Filesize
5.6MB

Download
memory/2464-694-0x00000000353A0000-0x000000003543C000-memory.dmp

Filesize
624KB

Download
memory/2464-695-0x00000000359A0000-0x0000000035A32000-memory.dmp

Filesize
584KB

Download
memory/2464-697-0x0000000035A70000-0x0000000035AC0000-memory.dmp

Filesize
320KB

Download
memory/2464-698-0x0000000035AF0000-0x0000000035CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2464-699-0x0000000035D10000-0x0000000035D1A000-memory.dmp

Filesize
40KB

Download
memory/4984-678-0x00000000747A5000-0x00000000747A6000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads