Edit tour

Windows Analysis Report
rCOTA____OMAGNA.exe

Overview

General Information

Sample Name:	rCOTA____OMAGNA.exe
Analysis ID:	1349191
MD5:	e8ae37869c7ad38c37445c1e16c7a065
SHA1:	afdf5240a81479a5b020c0432741c203bc0bec01
SHA256:	24b9d2af5baedd2f1a03ccce703c5a79251c10783108ab7a1816d24e464e64ce
Tags:	exeRemcosRAT
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Obfuscated command line found

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Stores large binary data to the registry

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains functionality to dynamically determine API calls

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

PE / OLE file has an invalid certificate

Creates or modifies windows services

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality for read data from the clipboard

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

rCOTA____OMAGNA.exe (PID: 4612 cmdline: C:\Users\user\Desktop\rCOTA____OMAGNA.exe MD5: E8AE37869C7AD38C37445C1E16C7A065)

cmd.exe (PID: 4144 cmdline: cmd /c set /a "0x9E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3576 cmdline: cmd /c set /a "0x98^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5832 cmdline: cmd /c set /a "0x8E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3140 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5336 cmdline: cmd /c set /a "0xD8^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5876 cmdline: cmd /c set /a "0xD9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2352 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5788 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3288 cmdline: cmd /c set /a "0xB8^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3140 cmdline: cmd /c set /a "0x83^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5336 cmdline: cmd /c set /a "0x84^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6504 cmdline: cmd /c set /a "0x9C^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3180 cmdline: cmd /c set /a "0xBC^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6516 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2968 cmdline: cmd /c set /a "0x85^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4816 cmdline: cmd /c set /a "0x8F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3252 cmdline: cmd /c set /a "0x84^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6504 cmdline: cmd /c set /a "0x9C^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4292 cmdline: cmd /c set /a "0xC3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 320 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4080 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4148 cmdline: cmd /c set /a "0xDC^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5348 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3576 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6204 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4292 cmdline: cmd /c set /a "0xC2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4164 cmdline: cmd /c set /a "0x92^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3992 cmdline: cmd /c set /a "0x86^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 368 cmdline: cmd /c set /a "0x98^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3060 cmdline: cmd /c set /a "0x9D^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6504 cmdline: cmd /c set /a "0x88^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7064 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1576 cmdline: cmd /c set /a "0x9F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4308 cmdline: cmd /c set /a "0xC5^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5244 cmdline: cmd /c set /a "0x8F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5832 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2812 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5272 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6472 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5824 cmdline: cmd /c set /a "0xB4^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3620 cmdline: cmd /c set /a "0x84^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1276 cmdline: cmd /c set /a "0x9B^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1164 cmdline: cmd /c set /a "0x8E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3172 cmdline: cmd /c set /a "0x85^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4764 cmdline: cmd /c set /a "0xC3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3140 cmdline: cmd /c set /a "0x86^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5320 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1224 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7056 cmdline: cmd /c set /a "0xDF^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1784 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6108 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2764 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6196 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2860 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5348 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5876 cmdline: cmd /c set /a "0x93^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6520 cmdline: cmd /c set /a "0xD3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6220 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6800 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2300 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5344 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6448 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5952 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5320 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SIHClient.exe (PID: 6848 cmdline: C:\Windows\System32\sihclient.exe /cv AZQPdMkTL0SlnyG2qylUew.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

cmd.exe (PID: 2924 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2668 cmdline: cmd /c set /a "0x93^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3924 cmdline: cmd /c set /a "0xDA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1776 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6768 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5336 cmdline: cmd /c set /a "0xC2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5892 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3524 cmdline: cmd /c set /a "0xC5^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5320 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1224 cmdline: cmd /c set /a "0xDE^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3292 cmdline: cmd /c set /a "0x92^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3924 cmdline: cmd /c set /a "0xA0^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2232 cmdline: cmd /c set /a "0xAE^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4072 cmdline: cmd /c set /a "0xB9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4080 cmdline: cmd /c set /a "0xA5^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 368 cmdline: cmd /c set /a "0xAE^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5008 cmdline: cmd /c set /a "0xA7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5500 cmdline: cmd /c set /a "0xD8^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6204 cmdline: cmd /c set /a "0xD9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1732 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1276 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2764 cmdline: cmd /c set /a "0xBD^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2968 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2232 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1848 cmdline: cmd /c set /a "0x9F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5284 cmdline: cmd /c set /a "0x9E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5360 cmdline: cmd /c set /a "0x8A^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1516 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3524 cmdline: cmd /c set /a "0xAA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3408 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3144 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3292 cmdline: cmd /c set /a "0x84^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6152 cmdline: cmd /c set /a "0x88^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6460 cmdline: cmd /c set /a "0xAE^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3780 cmdline: cmd /c set /a "0x93^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5964 cmdline: cmd /c set /a "0xC3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1164 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3648 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3504 cmdline: cmd /c set /a "0xC6^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4372 cmdline: cmd /c set /a "0xDA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1272 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6184 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7136 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4436 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5660 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2072 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4852 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6152 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5832 cmdline: cmd /c set /a "0xDA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5712 cmdline: cmd /c set /a "0xD9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2360 cmdline: cmd /c set /a "0xD3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5264 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5160 cmdline: cmd /c set /a "0xD3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2352 cmdline: cmd /c set /a "0xDA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2924 cmdline: cmd /c set /a "0xD2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1656 cmdline: cmd /c set /a "0xD9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3180 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3144 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5004 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2136 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6460 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5344 cmdline: cmd /c set /a "0x93^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5964 cmdline: cmd /c set /a "0xD8^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3220 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5768 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5516 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5264 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5160 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4336 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2576 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1784 cmdline: cmd /c set /a "0xDD^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4324 cmdline: cmd /c set /a "0xDF^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5788 cmdline: cmd /c set /a "0xC2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2460 cmdline: cmd /c set /a "0x9B^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6768 cmdline: cmd /c set /a "0xC5^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5028 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5284 cmdline: cmd /c set /a "0xDF^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5336 cmdline: cmd /c set /a "0x92^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5768 cmdline: cmd /c set /a "0x86^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2300 cmdline: cmd /c set /a "0x98^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4456 cmdline: cmd /c set /a "0x9D^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2352 cmdline: cmd /c set /a "0x88^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6544 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7136 cmdline: cmd /c set /a "0x9F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6400 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5544 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4320 cmdline: cmd /c set /a "0xB4^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1776 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x98^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6460 cmdline: cmd /c set /a "0x8E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6764 cmdline: cmd /c set /a "0x8E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2568 cmdline: cmd /c set /a "0x80^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5480 cmdline: cmd /c set /a "0xC3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4112 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6504 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3524 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3652 cmdline: cmd /c set /a "0xDE^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5340 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2668 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1784 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4324 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIADAP.exe (PID: 5004 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)

cmd.exe (PID: 3992 cmdline: cmd /c set /a "0xD8^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6444 cmdline: cmd /c set /a "0xDA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5648 cmdline: cmd /c set /a "0xD2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2464 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2360 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6568 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5496 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5264 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5160 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4036 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4308 cmdline: cmd /c set /a "0xC2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3292 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5544 cmdline: cmd /c set /a "0xC5^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3012 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4324 cmdline: cmd /c set /a "0xDC^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3992 cmdline: cmd /c set /a "0x92^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6460 cmdline: cmd /c set /a "0x86^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5648 cmdline: cmd /c set /a "0x98^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5448 cmdline: cmd /c set /a "0x9D^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6220 cmdline: cmd /c set /a "0x88^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1600 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4040 cmdline: cmd /c set /a "0x9F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6308 cmdline: cmd /c set /a "0xC5^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7064 cmdline: cmd /c set /a "0x8F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6980 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2924 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6544 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4352 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1524 cmdline: cmd /c set /a "0xB4^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3180 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3040 cmdline: cmd /c set /a "0x8E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3012 cmdline: cmd /c set /a "0x8A^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4324 cmdline: cmd /c set /a "0x8F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6444 cmdline: cmd /c set /a "0xC3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5892 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3772 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4980 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3220 cmdline: cmd /c set /a "0xDE^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2676 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6128 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6504 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7064 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6980 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7080 cmdline: cmd /c set /a "0xDF^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3752 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5412 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4436 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2412 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5460 cmdline: cmd /c set /a "0xDA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5432 cmdline: cmd /c set /a "0xD9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2104 cmdline: cmd /c set /a "0xD3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4580 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3572 cmdline: cmd /c set /a "0xD3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5520 cmdline: cmd /c set /a "0xDA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2952 cmdline: cmd /c set /a "0xD2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3840 cmdline: cmd /c set /a "0xD9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5776 cmdline: cmd /c set /a "0xC2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1684 cmdline: cmd /c set /a "0x92^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 380 cmdline: cmd /c set /a "0x9E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6348 cmdline: cmd /c set /a "0x98^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4508 cmdline: cmd /c set /a "0x8E^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4764 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6972 cmdline: cmd /c set /a "0xD8^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6764 cmdline: cmd /c set /a "0xD9^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2464 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2504 cmdline: cmd /c set /a "0xD1^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3192 cmdline: cmd /c set /a "0xA8^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3364 cmdline: cmd /c set /a "0x8A^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6848 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1516 cmdline: cmd /c set /a "0x87^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1252 cmdline: cmd /c set /a "0xBC^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2352 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5900 cmdline: cmd /c set /a "0x85^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1172 cmdline: cmd /c set /a "0x8F^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6524 cmdline: cmd /c set /a "0x84^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1268 cmdline: cmd /c set /a "0x9C^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3380 cmdline: cmd /c set /a "0xBB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1240 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6832 cmdline: cmd /c set /a "0x84^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5432 cmdline: cmd /c set /a "0x88^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2132 cmdline: cmd /c set /a "0xAA^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4848 cmdline: cmd /c set /a "0xC3^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3292 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3812 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4912 cmdline: cmd /c set /a "0x99^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2072 cmdline: cmd /c set /a "0xDF^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3040 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2656 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6436 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5488 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5820 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1848 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 368 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5028 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5480 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5272 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2516 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5876 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4204 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4456 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4836 cmdline: cmd /c set /a "0xC7^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3652 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4668 cmdline: cmd /c set /a "0x82^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5364 cmdline: cmd /c set /a "0xCB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6632 cmdline: cmd /c set /a "0xDB^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6688 cmdline: cmd /c set /a "0xC2^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2780 cmdline: cmd /c set /a "0x92^235" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4466934808.0000000002B6D000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: rCOTA____OMAGNA.exe PID: 4612	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rCOTA____OMAGNA.exe	Virustotal: Detection: 56%			Perma Link
Source: rCOTA____OMAGNA.exe	ReversingLabs: Detection: 43%

Source: rCOTA____OMAGNA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: rCOTA____OMAGNA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior

Source: SIHClient.exe, 00000082.00000003.2217164271.000002C59AC9F000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000082.00000003.2216079610.000002C59AC9F000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000082.00000003.2214835009.000002C59ACA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.130.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.130.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SIHClient.exe, 00000082.00000003.2214835009.000002C59AD00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8b6baea
Source: SIHClient.exe, 00000082.00000003.2208701474.000002C59B5D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f327
Source: rCOTA____OMAGNA.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rCOTA____OMAGNA.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: rCOTA____OMAGNA.exe	String found in binary or memory: http://s.symcd.com06
Source: rCOTA____OMAGNA.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: rCOTA____OMAGNA.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: rCOTA____OMAGNA.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SIHClient.exe, 00000082.00000003.2216265016.000002C59B5F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: rCOTA____OMAGNA.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: rCOTA____OMAGNA.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: rCOTA____OMAGNA.exe	String found in binary or memory: https://d.symcb.com/rpa0.

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Source: conhost.exe

Process created: 251

Source: rCOTA____OMAGNA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\System32\wbem\WMIADAP.exe

File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_6E381BFF	0_2_6E381BFF

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Process Stats: CPU usage > 49%

Source: rCOTA____OMAGNA.exe, 00000000.00000000.2010250408.000000000045A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesupertankernes fantastico.exe4 vs rCOTA____OMAGNA.exe
Source: rCOTA____OMAGNA.exe	Binary or memory string: OriginalFilenamesupertankernes fantastico.exe4 vs rCOTA____OMAGNA.exe

Source: rCOTA____OMAGNA.exe

Static PE information: invalid certificate

Source: rCOTA____OMAGNA.exe	Virustotal: Detection: 56%
Source: rCOTA____OMAGNA.exe	ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

File read: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Jump to behavior

Source: rCOTA____OMAGNA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rCOTA____OMAGNA.exe C:\Users\user\Desktop\rCOTA____OMAGNA.exe
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB8^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBC^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDC^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9B^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv AZQPdMkTL0SlnyG2qylUew.0.2
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x93^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB9^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x93^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC6^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9B^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x80^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDE^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD2^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD2^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA8^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBC^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAA^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDC^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x93^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC6^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

0_2_0040352D

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

File created: C:\Users\user\AppData\Local\Temp\nskA6BE.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@631/26@0/0

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: rCOTA____OMAGNA.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: rCOTA____OMAGNA.exe PID: 4612, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.4466934808.0000000002B6D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Obfuscated command line found

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB8^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBC^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDC^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9B^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x93^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB9^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x93^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC6^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9B^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x80^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDE^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD2^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD2^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA8^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBC^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAA^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDC^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x93^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC6^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD2^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBC^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Code function: 0_2_6E3830C0 push eax; ret

0_2_6E3830EE

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Code function: 0_2_6E381BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E381BFF

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File created: C:\Users\user\AppData\Local\Temp\nsfA826.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File created: C:\Users\user\AppData\Local\Temp\nsfA826.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File created: C:\Users\user\AppData\Local\Temp\nsfA826.tmp\Banner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File created: C:\Users\user\AppData\Local\Temp\nsfA826.tmp\BgImage.dll	Jump to dropped file

Source: C:\Windows\System32\wbem\WMIADAP.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance

Source: C:\Windows\System32\wbem\WMIADAP.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance Performance Data

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

RDTSC instruction interceptor: First address: 0000000003156DCF second address: 0000000003156DCF instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FBCBCE510A7h 0x00000006 test cx, cx 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe TID: 5860	Thread sleep time: -47000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 7152	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6252	Thread sleep count: 2355 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6252	Thread sleep count: 1420 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6252	Thread sleep count: 909 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6252	Thread sleep count: 897 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6252	Thread sleep count: 1420 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Window / User API: threadDelayed 470	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 2355
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1420
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 909
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 897
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1420

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	API call chain: ExitProcess graph end node			graph_0-4665
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	API call chain: ExitProcess graph end node			graph_0-4509

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts	Jump to behavior

Source: SIHClient.exe, 00000082.00000003.2594100417.000002C59ACBC000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000082.00000002.2595312941.000002C59ACBC000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000082.00000003.2217164271.000002C59ACBC000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000082.00000003.2214835009.000002C59ACBC000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000082.00000003.2216079610.000002C59ACBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SIHClient.exe, 00000082.00000003.2594100417.000002C59AC65000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000082.00000002.2595312941.000002C59AC65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`m

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

Code function: 0_2_6E381BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E381BFF

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDC^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDF^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x93^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC6^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x88^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xB4^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x86^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC5^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x87^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD2^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xA8^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8A^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv AZQPdMkTL0SlnyG2qylUew.0.2	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBC^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x85^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9C^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xBB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x84^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xAA^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x8E^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC7^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9F^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x98^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x99^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC3^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD1^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xD9^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x9D^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDE^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x82^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xCB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xDB^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0xC2^235"	Jump to behavior
Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x92^235"	Jump to behavior

Source: C:\Users\user\Desktop\rCOTA____OMAGNA.exe

0_2_0040352D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Windows Service	1 Modify Registry	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Native API	Logon Script (Windows)	11 Process Injection	2 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	4 File and Directory Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rCOTA____OMAGNA.exe	57%	Virustotal		Browse
rCOTA____OMAGNA.exe	43%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\Banner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\Banner.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\BgImage.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\BgImage.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\nsExec.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	rCOTA____OMAGNA.exe	false		high
http://www.microsoft.co	SIHClient.exe, 00000082.00000003.2216265016.000002C59B5F9000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1349191
Start date and time:	2023-11-28 11:27:48 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	548
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	rCOTA____OMAGNA.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@631/26@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 42 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.114.59.183, 67.26.241.254, 8.253.139.121, 67.26.237.254, 8.253.45.214, 8.253.139.248, 13.85.23.206, 72.21.81.240, 52.165.164.15
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:28:56	API Interceptor	2x Sleep call for process: SIHClient.exe modified
11:29:34	API Interceptor	170x Sleep call for process: rCOTA____OMAGNA.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\BgImage.dll	rCOTA____OMAGNALTDAMFOC231877756745758450045.exe	Get hash	malicious	GuLoader, Remcos	Browse
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\BgImage.dll	rCOTA____OMAGNALTDAMFOC231877756745758450045.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsfA826.tmp\Banner.dll	rCOTA____OMAGNALTDAMFOC231877756745758450045.exe	Get hash	malicious	GuLoader, Remcos	Browse
	rCOTA____OMAGNALTDAMFOC231877756745758450045.exe	Get hash	malicious	GuLoader	Browse
	va9yqoHxmn.exe	Get hash	malicious	GuLoader	Browse
	va9yqoHxmn.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

(copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	7.946747821604857
Encrypted:	false
SSDEEP:	96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
MD5:	1BFE591A4FE3D91B03CDF26EAACD8F89
SHA1:	719C37C320F518AC168C86723724891950911CEA
SHA-256:	9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
SHA-512:	02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
Malicious:	false
Preview:	MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.)......Y@...(..).R."E..D^6........u....\|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O...R..........D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;\|.h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.z..2.Py...A..s...z..@...4..........4.....Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._\|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.174857563182266
Encrypted:	false
SSDEEP:	6:kKFDAN+SkQlPlEGYRMY9z+s3Ql2DUevat:x/kPlE99SCQl2DUevat
MD5:	5E79F87E9F3B83674CA4F227027132FC
SHA1:	E10D8BF83434495A5B18BED865608E767499AE6E
SHA-256:	08D25C3A2289D46C502850A4B2CEEF78984747D4E54429A7021A971C4131632B
SHA-512:	487F76F2FF428A99B4A06D096711D0E8AB045D0BAE4DAAE241AA4E85A42A8B75892CEE35647541EC52AC4D73A7AC7579D6B7283CE39E2955D292EC25153B17A4
Malicious:	false
Preview:	p...... .........j...!..(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\Local\Temp\codette\darning\Semicentenary\Pseudoorganic\Brydningslov44\Sobralia\Mortifications.Agi

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	78798
Entropy (8bit):	2.6708764379304153
Encrypted:	false
SSDEEP:	1536:oe+/CHxjm/OdvISUoGSg6Iw/hcuPZKRa4kV15Xotvz:o205gVPW
MD5:	2F6FDBD4B41C63D4DDDA506CEEF847A5
SHA1:	01F6F46C53F1709776D4C10E3AEAA6BF61EAB7F2
SHA-256:	16FDDD5D146BAB969A2006339EF04DD79367D2A76BBB361B67E6A23086AA9D3D
SHA-512:	8129EEE5D3097E9B468C04B1A95D600E6BBAEA7489DB09550E6ADD922EA9C5BC245754EED822D79AF487381B3D204552BC355E8066A02964DF1DE890105B330C
Malicious:	false
Preview:	000000001E1E1E00F5F5F5F5F5000000EEEEEE00000000F600006C6C0000006E6E6E000000000040400000000004000000E3006A009696960051000000B7B700001D1D00C3007F7F7F000024240028000000000000000000730016160000DC0000000000007200002D0000E0000000000012000044440000E800EAEA0000707000E90056002727000000006100BDBD002A2A2A2A000039000000000000C9C9009800626262620000004C4C4C008F0004040400D900002D00690094949400525200A50000EB002121007D00B10000C3000000004300470000000000BFBFBF0000B9B9B900000F0F00006F000000BA000000D9D90000CACACA0061616100000080004E00000000C90000006B00969696006D6D000000000072727272001A00007300CFCF0000000091919100000023230000B50000DB00595900DB0000A80000000700FCFC0000C2C200E0000000E0E00000E9002A0064646400AA009C000000007B7B000000001B1B00282828007A7A7A7A0000E1E100DA0000AAAA00FA00006A6A6A6A0000CBCB00A400FA00000000000064002E2E2E000000F6000000B3B3B3007C7C0000001A1A1A009999005F5F00A200E6E600000E0E0E0E0E000000C100EEEE0000000000131300FF000000000056000000002D2D2D0000CF0058585800C800000000850000006700850000666600020000

C:\Users\user\AppData\Local\Temp\codette\darning\Semicentenary\Pseudoorganic\Brydningslov44\Sobralia\barnligt.out

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	data
Category:	dropped
Size (bytes):	5045406
Entropy (8bit):	0.2976889737184529
Encrypted:	false
SSDEEP:	768:ip3Ozo3jSwMnREaS2TWc0hlIra3ApJooqMA3EbRReOjbU8IuoAwz+ouII/qoTSA5:uIHTuYZFumgPxIe
MD5:	959D43BF7EC45DBF4EB1630642DA8620
SHA1:	964F3CB604BA1BFD7452A58BE4A38DBCBAAA321A
SHA-256:	DE50678B47D6F37C0CACB6B6BA262E117683816A24CE97EB96C779DE3F7DAAD3
SHA-512:	67E0F08B78075A5A8671BC511BC0263197C656F3FC5307FAF6764FAB825F42C44219174A390E34B62A6F66EE4E15B3DF7114FCC4EF3E0346B938E0BDF3D86311
Malicious:	false
Preview:	....................................................................................................................................................................................................................................R............................ ........................h................K.........................................................v.....................................u..........................................................................................................................................?....................s..........................................................................<................................................................................................................................o......................................................................................................................:...............................&.........................................................................................

C:\Users\user\AppData\Local\Temp\codette\darning\Semicentenary\Pseudoorganic\Brydningslov44\Sobralia\gaspedals.txt

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	ASCII text, with very long lines (341), with no line terminators
Category:	dropped
Size (bytes):	341
Entropy (8bit):	4.305896476778674
Encrypted:	false
SSDEEP:	6:OvNulc7HrzTGMCyqT8X15MJkmAKFU6gEgNubui6NvWAXNzwMEaloJxu:OvNuajTGMCyqTGwBrbuHNOAXNzwMEZJA
MD5:	FC0BBEC30C4902D8C126FBFA0A00C090
SHA1:	6E95646507E1EFF4F802C332455794E21BC0F8F3
SHA-256:	6991709B1D51209BA839874F54BBE9760EEFF8AD11667A5AA362682B34EA25FA
SHA-512:	B87D887D491F591CBBD35746341333DAC1C06CD91727B3B9294708D71D426357CD06D3470FE9C236263553D9C03902EE28982CD9C9A9722E688876512C1FE307
Malicious:	false
Preview:	tritoconid dieldrins wigglier,lathyrism offerviljer thermogeny rabiates photooxidation ani,skandalepresse kenns strmafbrydelsens midtlinje mcdaniel stumpede,adenotomic rufus nedsttendes spidvender papiroplysninger pinecone.condescend bislagenes langeel nighnesses quercivorous hofdame,fremontia frydefuldt scotopic luxulianite polydactylism,

C:\Users\user\AppData\Local\Temp\codette\darning\Stinksvampene.Sko

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	data
Category:	dropped
Size (bytes):	168577
Entropy (8bit):	7.780404690965998
Encrypted:	false
SSDEEP:	3072:DRJl5jBX9fGiv0MlYTB16kIodWZNnUVVsjidCzQMbRYZFKOy0Bv9:Dzf9X9fhmF1iodGnwqjfRqd9
MD5:	2BD37F8C5E720F6509C67F9A0F367F04
SHA1:	23199E6B4FFC25D9E67B8525074C512FB44F64B9
SHA-256:	4B2128BC72F0285B5CDF7D261168CFC6652AE5BCE16FD383CBF414B29B926F8E
SHA-512:	7B10ABCC8DB30A85E302B7C6331621151D14346F03E9F0CD07B921E1CD774F74298C8D73DD0B0C147B2540A6C3C24531E91F1697C85D27DF3DC6794546927646
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\codette\darning\bisonen\Grafikskrmenes\tabletting.non

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	data
Category:	dropped
Size (bytes):	4481203
Entropy (8bit):	0.29610314312880837
Encrypted:	false
SSDEEP:	768:mWQEmpUAV+gNzTp6HnGPn+Rk+avXYyyOaXUTnGxW0qQ62b3VsUlEEsZHVUiAq6e8:uXDQ452YYfXqFoiB
MD5:	D6DF1306D17BCDE2D862ACEB97D9A3F7
SHA1:	5D8A04EE4B0242D7B3CB80EF8AB0E205C634F9EC
SHA-256:	3F8E72B9D05C86B9A07FE154A7F5FE8FC0AB8BEDC4BCC297E4801C8812070B65
SHA-512:	76A47A31175F872512674D617A93E78502FC344EFF5C25671C0E72C1EBCEF6FA417DF4822EBCA119878846C10AA5DC45EF1AADCCFBBCDBAB7DD06E8A42BC24BF
Malicious:	false
Preview:	.......................................................................................................................................]...................................................x......................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.............................................................................................................................................................................a................................................C...........................................................V..........................................................................

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\Banner.dll

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.679447058913102
Encrypted:	false
SSDEEP:	48:qfvVqdq/6waPy6Qths/zvXg1ss0Ai+wGXwBxirvdcwr1B38:E8A6wwzvwV0TFGABxix/1C
MD5:	A1B9BDEE9FC87D11676605BD79037646
SHA1:	8D6879F63048EB93B9657D0B78F534869D1FFF64
SHA-256:	39E3108E0A4CCFB9FE4D8CAF4FB40BAA39BDD797F3A4C1FA886086226E00F465
SHA-512:	CD65D18ECA885807C7C810286CEBEF75555D13889A4847BB30DC1A08D8948893899CC411728097641A8C07A8DCC59E1C1EFA0E860E93DADA871D5B7ACC61B1E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: rCOTA____OMAGNALTDAMFOC231877756745758450045.exe, Detection: malicious, Browse Filename: rCOTA____OMAGNALTDAMFOC231877756745758450045.exe, Detection: malicious, Browse Filename: va9yqoHxmn.exe, Detection: malicious, Browse Filename: va9yqoHxmn.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.............................. ......0#......Rich............................PE..L....Oa...........!......................... ...............................P............@.........................."..h...l ..<............................@....................................................... ..l............................text...j........................... ..`.rdata..(.... ......................@..@.data...<....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\BgImage.dll

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.220781837592475
Encrypted:	false
SSDEEP:	96:8eUk1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uTR4j7J3kWyy/:t/TJa2roqJyA2EN8diuTuje
MD5:	114596F7BC4A72669BF8664F3C583FBF
SHA1:	F1822C1AA0A45C448ADF9427E3CFFF49965480DF
SHA-256:	BB79DC8B1F8BBD3296E4406128040CD1652404BE6B9387E780D3341BB1ED935B
SHA-512:	99BBAEA89766411F7BC2FD5570565E8341F382ED0877CD397A1A3D92297BEAE23E95BA643339045B74FE97EDEB7C87A460C8AAAF75742EA05058245C0F1DC0FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: rCOTA____OMAGNALTDAMFOC231877756745758450045.exe, Detection: malicious, Browse Filename: rCOTA____OMAGNALTDAMFOC231877756745758450045.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L....Oa...........!................"........ ...............................`............@..........................$....... ..d............................P....................................................... ...............................text...D........................... ..`.rdata....... ......................@..@.data........0......................@....reloc..v....P......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.298362543684714
Encrypted:	false
SSDEEP:	96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
MD5:	675C4948E1EFC929EDCABFE67148EDDD
SHA1:	F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
SHA-256:	1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
SHA-512:	61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\INF\WmiApRpl\WmiApRpl.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\INF\WmiApRpl\WmiApRpl.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

C:\Windows\Logs\SIH\SIH.20231128.112854.115.1.etl

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.1639403213473325
Encrypted:	false
SSDEEP:	192:F2R92xVJKF/UUYAg1HoaSRSy7bKzOEO/zNUx:FIiVJM/UUYAg1HodRSy7mzOEO/zNUx
MD5:	3AE0E6D609EB8DA0F8410F4DEEF60E5C
SHA1:	78DC1ECDAF55C41A712EB4887A7F6B17164A7D24
SHA-256:	D8FF5B5B0F504F88A72A5A01C353B629F8FF2DD518531A4A3AFE89D84C0182CA
SHA-512:	6D76527D8FD9F999F5801D284AA9624672A7217F6D1C1EBB052C5CD7B0BB7E596D0DF8E8D1C27A8CE217333A6470485A46E2090A8FB767672C55B8A725B5370E
Malicious:	false
Preview:	....P...P.......................................P...!....................................t.....................eJ...........!..Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1............................................................W..................!..........S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.3.1.1.2.8...1.1.2.8.5.4...1.1.5...1...e.t.l.......P.P..........t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPF6E2.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 462 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 31944, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	17126
Entropy (8bit):	7.3117215578334935
Encrypted:	false
SSDEEP:	192:D5X8WyNHDHFzqDHt8AxL5TKG+tJSdqnajapCNjFZYECUqY7oX9qhnJSdqnaja2Sl:qDlsHq4ThPdlmY9CUiqOdlm2W
MD5:	1B6460EE0273E97C251F7A67F49ACDB4
SHA1:	4A3FDFBB1865C3DAED996BDB5C634AA5164ABBB8
SHA-256:	3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A
SHA-512:	3D256D8AC917C6733BAB7CC4537A17D37810EFD690BCA0FA361CF44583476121C9BCCCD9C53994AE05E9F9DFF94FFAD1BB30C0F7AFF6DF68F73411703E3DF88A
Malicious:	false
Preview:	MSCF............D................\|...............A..........d.......................environment.xml.....b...CK..ao.0...J...&.q...-..;+.6+-i.......7.....=....g.P.RQ.#..#...QQ..p.kk..qX..)...T.....zL#<.4......\k..f..,.Q...`..K7.hP..".E.53.V.DW.X).z.=`.COO 8..8.......!$.P!`00....E.m..l .)".J.vC..J..&...5.5(.a..!..MIM.........z.;......t.<.o..\|CR.3>..n.;8dX....:....N.....U.......J.I(vT..3...N....$.._^.A<....&=._(N....m.u.1}.....Ax.b8....q~.i..0.A....H........A.0.@....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". ...,..gK.........(...._`Oa..;%.010...`.H.e....... K...,.%@.b./.a...Q.:..E.7....V~....0...0..........3....!.G~&.9......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...190502214449Z..200502214449Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0...

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 7826 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 53283, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	24490
Entropy (8bit):	7.629144636744632
Encrypted:	false
SSDEEP:	384:iarwQcY8StpA7IQ6GCq30XPSIleI7lzCuqvfiSIleIx:iartHA7PCFP66Tqvfi6c
MD5:	ACD24F781C0C8F48A0BD86A0E9F2A154
SHA1:	93B2F4FBF96D15BE0766181AFACDB9FD9DD1B323
SHA-256:	5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
SHA-512:	7B1D821CF1210947344FCF0F9C4927B42271669015DEA1C179B2BEAD9025941138C139C22C068CBD7219B853C80FA01A04E26790D8D76A38FB8BEBE20E0A2A4A
Malicious:	false
Preview:	MSCF............D...............#................A..........d........B..............environment.cab.x.\&..BCK.\.T...N.....;LB.JW.. .w!....$...U....."........ (.. E..........w...e.Jf.3gN.{...{V.M4.!.....hn. p(... .a...f..f..j.....Kh5..l.DB\}.=.0.>..X.....z..,'..LC/>....h.>.>.........,~mVI.....'EGD]^..\{....Q....f...4.F.....q..FF.1~...Q,.."g.qq.......}.....g%Zz.;m.9..z../2Jl.p8wGO......-V....FM......y.....Hy.xy......N.r;.@uV........Xa...b].`..F...y.Wd.e.8.[Z.s7].....=B.$...'.\|.-.sC....a_(..$..i.C.T.F}...]...m.R,y.1...'..j3.....ir..B..)sR.G...`-=.w....m..2y.....o...\{..C.4.:ZM..wL-$.I.x:?.!.....:..W.%&.....J.%.....~....E..T.d.Q{..p..J..pY...P../.."rp....`...#w.....'.\|n%Dy,.....i....."..x.....b._..\_.^.XOo..*:.&a.`..qA.?.@..t.R/...X3.nF.&........1Z.r.S...9x........?..aP..A...f..k:..\....L...t....Q...1..A..33A1.t..)...c....;......$.$..>._....A.!g`..t...b.H.L..&.....!......v~.n...uE.x...."5.h.4..B.R.d.4.%--.`.B..."..[....l......x(..5......@.zr....

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPFE60.tmp

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 283 bytes, 1 file, at 0x44 +Utf "environment.xml", flags 0x4, ID 18148, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	modified
Size (bytes):	17395
Entropy (8bit):	7.297808060361236
Encrypted:	false
SSDEEP:	192:Y++BFO7SCP3yalzqDHt8Axz5GIqMvus/qnajBMWj6AkKFZYECUqY7S8Zuo1nqnaC:lCksHqzj0l9P6AnCUTZZl9lRo
MD5:	E97660B7AB6838D0D96B5C6BB4328753
SHA1:	AA104E62A8166E23D89C4769EC382EF345299D28
SHA-256:	2BA13EB8A2705B01E54067B2A4FFC17CA2EB376EE3F3BA8D9C5FACE8C5AC1279
SHA-512:	E867FE411239AD8EB66342C9522D48DBC9BB872210CD14B4C734661C4966AEC8CF022C510284B70736049E1F98C4EDA18651C7F7A3B7F6E1DEF782F4F89E8FB2
Malicious:	false
Preview:	MSCF............D................F...............B..........d.......................environment.xml.........CKu.]..0....8.K..:1..]d..A...... .F..9/.G.....hF.U....U.[....{F.D<(...T..h5.....Bz.=.a..6......Y...H..u...UY.......g.E...U...T.SM.%n..w......B.=.e....j.fZ.....YY....0.B....H........B.0.B....1.0...`.H.e......0....+.....7......0..0V..+.....7....H.......$f.....`..41200..+.....7...1". D.!....(....i..#_..cZ...Ei?..ui010...`.H.e....... K.....:U...45%.sH&V.NpH..U.........0...0..........3......9...d.......0....H........0~1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1(0&..U....Microsoft Update Signing CA 2.20...180712201748Z..190808201748Z0o1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....Microsoft Update0.."0....H.............0.........\|n.......Y..vx{<.4.......c[.......8f...4.e.#W................V.8.;.N....9$T..=..O~..c...r..B.f........z.$........"...PM8.Yo..;.u.T\....{T...&J.

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	Microsoft Cabinet archive data, single, 8785 bytes, 1 file, at 0x44 +Utf "environment.cab", flags 0x4, ID 36571, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	25457
Entropy (8bit):	7.655665945183416
Encrypted:	false
SSDEEP:	384:i9eD3oXHzqAAteICxU2L/l/dVCmMMx2GCq3fQkclmIO+WccCuqvXolUjx2:3AhAteHq2L/l/dkMxjCgF+WcmqvS
MD5:	9D27F0ECE5019003D4415EB80973B81A
SHA1:	39C19D8842C0201FD203F6D1EA79CEBD2E880970
SHA-256:	331D51A091FFA84C2959F2A5971EEC6EC976F00B84473E4861D72CBED4C97203
SHA-512:	8DF4CBDF4248743F50DFB41B0E6CC94C61227505288B23742EA0E9C86A8FA71D2AA84621D094D867C91BA4B551256E7FDD28ADE5ABA6C23F68CD80A4768922E1
Malicious:	false
Preview:	MSCF....Q"......D..........................Q".. A..........d........C..............environment.cab...o..!.CCK.Z.8U[.?...)..).s.Jf2.2d.1..R8..Bf...2....Q...)S.JR.P.F...{..~.}.}....g.5...?........1@![?......B...d.l......X...g.^.....@...I......+F......4T..R...:J...C>.\.x.M$..9j._5#._.D=;....8-%<.JQ....R`D..D.0.2/....B.t........A,=.=..R.T..53.8........K..........>..m';^..#O3..h5\|h.U.......HP."[.'Sl.\|.c..Y.B....i.....Sx.O..r(d..J.K.)..UM0(.I....Y......0(........C.P....H.F....:.C....G.....x.tC.V..Q$....."...J.l...p..XZ/.E'.pX...^....%i.B....`.O.}=W..~NV...W..!n.1m.C.).FX.!.82.......?..aP..J.<...R=D.lon......%.7.$....F.\|.......,.R..X{:.].c.\.....J..};[.7W[$3..YCLE....p.t...y..yXc...^.{..N.......c.j.>....(..B..tdHI@..B.H.QI3.(.H.......>z.n{}.?...A.w..$=..%....0.(0.].IR..)rLcCN.......[./...l...gB..%..>0.v.p..Y.......o...76...".d..6>i.L...H&......2....q.{..h..WL...C.r..Z..n.L.T..^5..%.o.....u^.G.6...3.L.p......2A.*Im._Z......;.2.}z..2

C:\Windows\System32\PerfStringBackup.INI

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\PerfStringBackup.TMP

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	840878
Entropy (8bit):	3.4224066455051885
Encrypted:	false
SSDEEP:	3072:xJQGb/6IPolY/OhyIGmZkzTMWcnqgspmTbQiIJEDc3dv+eBrq2Bw+1wQ5xcEkc7+:01nqgsp2gOKih3
MD5:	D3ED23A3E63ACA8CF656C585568DA6D7
SHA1:	1A499D7E9A030D53B2A4DBD36F6F14B6531A6094
SHA-256:	AE5A6E258A41298BE6CF2B3DA812E992E1D6A3C7FBC7DD4AA8B413DA850E8B65
SHA-512:	21E2953B0819567865DA9C80A7D07021D7ED48F4BA3CD843C42D13D18E0E8FB27FA2F7C4EC86D4A1F4D887146F0F7E9E05B6A53D85398EA43240C2E180D52E00
Malicious:	false
Preview:	........[.P.e.r.f.l.i.b.].....B.a.s.e. .I.n.d.e.x.=.1.8.4.7.....L.a.s.t. .C.o.u.n.t.e.r.=.1.0.1.2.2.....L.a.s.t. .H.e.l.p.=.1.0.1.2.3.........[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.4.0.....F.i.r.s.t. .H.e.l.p.=.6.8.4.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.5.2.....L.a.s.t. .H.e.l.p.=.6.8.5.3.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.8.2.8.....F.i.r.s.t. .H.e.l.p.=.6.8.2.9.....L.a.s.t. .C.o.u.n.t.e.r.=.6.8.3.8.....L.a.s.t. .H.e.l.p.=.6.8.3.9.........[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g. .4...0...0...0.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.6.9.0.0.....F.i.r.s.t. .H.e.l.p.=.6.9.0.1.....L.a.s.t. .C.o.u.n.t.e.r.=.6.9.2.6.....L.a.s.t. .H.e.l.p.=.6.9.2.7.........[.P.E.R.F._...N.E.T. .D.a.t.a. .P.r.o.v.i.d.e.r. .f.o.r. .O.r.a.c.l.e.].....F.i.r.s.t. .C.o.u.n.t.e.r.=.8.9.1.6.....F.i.r.s.t. .H.e.l.p.=.8.9.1.7.....L.a.s.t. .C.o.u.n.t.e.r.=.8.9.4.4.....L.a.s.t. .H.e.l.p.=.8.9.4.5.........[.P.E.R.F._...N.E.

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.4572760797322735
Encrypted:	false
SSDEEP:	6:kK3j3C83yJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:L3CCxkPlE99SCQl2DUevat
MD5:	3B2093D06BE7F680F65CF88E972A6291
SHA1:	0CB99A905DC6E98AE8A49F3662FE0D9DFD0571F7
SHA-256:	A02CC96864A37AF53B32667070652451C9C4767982EFE347BEC1EA5AF8CA8DA9
SHA-512:	CE649D6583D215E9087526F8AE0CA7A3EE1BBA909CEA62D3086D3662BDC892E747A00F5130F4095A32E3362089710A50D5800C3BADC4E9FAE783C55558B41C73
Malicious:	false
Preview:	p...... ........q....!..(.................................................L#... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Windows\System32\perfc009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	137550
Entropy (8bit):	3.409189992022338
Encrypted:	false
SSDEEP:	1536:X1i4nfw8ld9+mRDaUR28oV7TYfXLi7NwrgSwNu56FRtg:XBnfw8ld9+mRDaUR28oV7TY+7S0ba
MD5:	084B771A167854C5B38E25D4E199B637
SHA1:	AE6D36D4EC5A9E515E8735525BD80C96AC0F8122
SHA-256:	B3CF0050FAF325C36535D665C24411F3877E3667904DFE9D8A1C802ED4BCD56D
SHA-512:	426C15923F54EC93F22D9523B5CB6D326F727A34F5FF2BDE63D1CB3AD97CAB7E5B2ABABBC6ED5082B5E3140E9342A4E6F354359357A3F9AEF285278CB38A5835
Malicious:	false
Preview:	1...1.8.4.7...2...S.y.s.t.e.m...4...M.e.m.o.r.y...6...%. .P.r.o.c.e.s.s.o.r. .T.i.m.e...1.0...F.i.l.e. .R.e.a.d. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.2...F.i.l.e. .W.r.i.t.e. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.4...F.i.l.e. .C.o.n.t.r.o.l. .O.p.e.r.a.t.i.o.n.s./.s.e.c...1.6...F.i.l.e. .R.e.a.d. .B.y.t.e.s./.s.e.c...1.8...F.i.l.e. .W.r.i.t.e. .B.y.t.e.s./.s.e.c...2.0...F.i.l.e. .C.o.n.t.r.o.l. .B.y.t.e.s./.s.e.c...2.4...A.v.a.i.l.a.b.l.e. .B.y.t.e.s...2.6...C.o.m.m.i.t.t.e.d. .B.y.t.e.s...2.8...P.a.g.e. .F.a.u.l.t.s./.s.e.c...3.0...C.o.m.m.i.t. .L.i.m.i.t...3.2...W.r.i.t.e. .C.o.p.i.e.s./.s.e.c...3.4...T.r.a.n.s.i.t.i.o.n. .F.a.u.l.t.s./.s.e.c...3.6...C.a.c.h.e. .F.a.u.l.t.s./.s.e.c...3.8...D.e.m.a.n.d. .Z.e.r.o. .F.a.u.l.t.s./.s.e.c...4.0...P.a.g.e.s./.s.e.c...4.2...P.a.g.e. .R.e.a.d.s./.s.e.c...4.4...P.r.o.c.e.s.s.o.r. .Q.u.e.u.e. .L.e.n.g.t.h...4.6...T.h.r.e.a.d. .S.t.a.t.e...4.8...P.a.g.e.s. .O.u.t.p.u.t./.s.e.c...5.0...P.a.g.e. .W.r.i.t.e.s./.s.e.c...5.2...B.r.o.w.s.e.r...5.4...A.n.n.o.u.

C:\Windows\System32\perfh009.dat

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	data
Category:	dropped
Size (bytes):	715050
Entropy (8bit):	3.278818886805871
Encrypted:	false
SSDEEP:	3072:NUdGNuowE4j0PrRZnpETMDZ8M6d0PHHx643/A5BK9YXdhPHlVziwC4ALWI1dnmRh:78M6d0w+WB6I
MD5:	342BC94F85E143BE85B5B997163A0BB3
SHA1:	8780CD88D169AE88C843E19239D9A32625F6A73E
SHA-256:	F7D40B4FADA44B2A5231780F99C3CE784BCF33866B59D5EB767EEA8E532AD2C4
SHA-512:	0A4ED9104CAFCE95E204B5505181816E7AA7941DED2694FF75EFABAAB821BF0F0FE5B32261ED213C710250B7845255F4E317D86A3A6D4C2C21F866207233C57E
Malicious:	false
Preview:	3...T.h.e. .S.y.s.t.e.m. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .a.p.p.l.y. .t.o. .m.o.r.e. .t.h.a.n. .o.n.e. .i.n.s.t.a.n.c.e. .o.f. .a. .c.o.m.p.o.n.e.n.t. .p.r.o.c.e.s.s.o.r.s. .o.n. .t.h.e. .c.o.m.p.u.t.e.r.....5...T.h.e. .M.e.m.o.r.y. .p.e.r.f.o.r.m.a.n.c.e. .o.b.j.e.c.t. . .c.o.n.s.i.s.t.s. .o.f. .c.o.u.n.t.e.r.s. .t.h.a.t. .d.e.s.c.r.i.b.e. .t.h.e. .b.e.h.a.v.i.o.r. .o.f. .p.h.y.s.i.c.a.l. .a.n.d. .v.i.r.t.u.a.l. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .P.h.y.s.i.c.a.l. .m.e.m.o.r.y. .i.s. .t.h.e. .a.m.o.u.n.t. .o.f. .r.a.n.d.o.m. .a.c.c.e.s.s. .m.e.m.o.r.y. .o.n. .t.h.e. .c.o.m.p.u.t.e.r... . .V.i.r.t.u.a.l. .m.e.m.o.r.y. .c.o.n.s.i.s.t.s. .o.f. .t.h.e. .s.p.a.c.e. .i.n. .p.h.y.s.i.c.a.l. .m.e.m.o.r.y. .a.n.d. .o.n. .d.i.s.k... . .M.a.n.y. .o.f. .t.h.e. .m.e.m.o.r.y. .c.o.u.n.t.e.r.s. .m.o.n.i.t.o.r. .p.a.g.i.n.g.,. .w.h.i.c.h. .i.s. .t.h.e. .m.o.v.e.m.e.n.t. .o.f. .p.a.g.e.s. .o.f. .c.o.d.e. .a.n.d. .d.a.t.a. .b.e.t.

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (405), with CRLF line terminators
Category:	dropped
Size (bytes):	48786
Entropy (8bit):	3.5854495362228453
Encrypted:	false
SSDEEP:	384:esozoNc1+12zG1+b61ubSGMLVrj4+PtC81ZBg4Lg4ung4og4uo91K91zI91K91z2:esozozBg4Lg4ung4og4uWG4MG4o1
MD5:	DF877BEC5C9E3382E94FEA48FEE049AC
SHA1:	1D61436C8A1C057C1B1089EB794D90EE4B0D8FE9
SHA-256:	7F0F3FA64E41A30BACA377B6399F8F7087BC54DA9FCA876BFDC2C2EEECA8454B
SHA-512:	433CB16EBE2292CB60CB8CE71207EBB752295FB73E6D13E215E771EC5FC433EE29577AF28641255810C18078B95F04A9D37734B6F49CB6A6302821E365672205
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........[.o.b.j.e.c.t.s.].....W.M.I._.O.b.j.e.c.t.s._.0.0.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.980154210740673
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rCOTA____OMAGNA.exe
File size:	780'152 bytes
MD5:	e8ae37869c7ad38c37445c1e16c7a065
SHA1:	afdf5240a81479a5b020c0432741c203bc0bec01
SHA256:	24b9d2af5baedd2f1a03ccce703c5a79251c10783108ab7a1816d24e464e64ce
SHA512:	0f9f99da508d08abd99acf5c63902ced13e8ecb570ed4ae486a05db9fef34ed03cf22a5d1d871ba0a1e2525e965889f62a01ec4ce2e12d1e25c11b35e0f8407b
SSDEEP:	12288:BbMwYfOZx/q6FWhW37KrtJXjABachoWeEhVV5r0B5H1lMZafL14rBdeaBLFO7Sbd:BbMwYfOZxvEI7oJXn5W3VPoH1lMY69dD
TLSH:	7BF4230501F3F273DA1287B7D6A632737ED6EC10D9656B0713843F89B5332522B2AAC5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	55888ac7c7a3a6a5

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Flonellen@Skalarumbillede.Anh, OU="Yderverdner Vintages assault ", O=letoplselig, L=West Winterslow, S=England, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	01/06/2023 01:39:19 31/05/2026 01:39:19
Subject Chain	E=Flonellen@Skalarumbillede.Anh, OU="Yderverdner Vintages assault ", O=letoplselig, L=West Winterslow, S=England, C=GB
Version:	3
Thumbprint MD5:	28B3835575177F0EB124DB23AF2038A4
Thumbprint SHA-1:	38EA825BE1A69DCE88A0027345CCA63D8BBB3A60
Thumbprint SHA-256:	0C33750978455AF8D57BDDBC37753D78A266E517835E658845E4407829DD31DB
Serial:	066F65D7246347A103C83912288CD38CE70965D8

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FBCBCF9A91Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FBCBCF9A8EAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x16d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbc510	0x2268
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x24000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a000	0x16d8	0x1800	False	0.31689453125	data	4.172010041710146	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x5a2b0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x5a618	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.20809248554913296
RT_DIALOG	0x5ab80	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x5acc8	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x5ae08	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5af08	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5b028	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5b0f0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5b150	0x14	data	English	United States	1.1
RT_VERSION	0x5b168	0x230	data	English	United States	0.5392857142857143
RT_MANIFEST	0x5b398	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	11:28:35
Start date:	28/11/2023
Path:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\rCOTA____OMAGNA.exe
Imagebase:	0x400000
File size:	780'152 bytes
MD5 hash:	E8AE37869C7AD38C37445C1E16C7A065
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4466934808.0000000002B6D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	11:28:36
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x9E^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	11:28:37
Start date:	28/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	11:28:38
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xD1^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	11:28:39
Start date:	28/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	11:28:40
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x84^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	11:28:41
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x82^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	48
Start time:	11:28:42
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x82^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	56
Start time:	11:28:43
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x86^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	64
Start time:	11:28:44
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x99^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	72
Start time:	11:28:45
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x87^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	80
Start time:	11:28:46
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xB4^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	88
Start time:	11:28:47
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x85^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	96
Start time:	11:28:48
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x99^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	104
Start time:	11:28:49
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xCB^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	112
Start time:	11:28:50
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x93^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	118
Start time:	11:28:52
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xDB^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	122
Start time:	11:28:53
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xC7^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	130
Start time:	11:28:54
Start date:	28/11/2023
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv AZQPdMkTL0SlnyG2qylUew.0.2
Imagebase:	0x7ff6cb330000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	138
Start time:	11:28:55
Start date:	28/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	151
Start time:	11:28:57
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x92^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rCOTA____OMAGNA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\Local\Temp\codette\darning\Semicentenary\Pseudoorganic\Brydningslov44\Sobralia\Mortifications.Agi

C:\Users\user\AppData\Local\Temp\codette\darning\Semicentenary\Pseudoorganic\Brydningslov44\Sobralia\barnligt.out

C:\Users\user\AppData\Local\Temp\codette\darning\Semicentenary\Pseudoorganic\Brydningslov44\Sobralia\gaspedals.txt

C:\Users\user\AppData\Local\Temp\codette\darning\Stinksvampene.Sko

C:\Users\user\AppData\Local\Temp\codette\darning\bisonen\Grafikskrmenes\tabletting.non

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\Banner.dll

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\BgImage.dll

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsfA826.tmp\nsExec.dll

C:\Windows\INF\WmiApRpl\WmiApRpl.h

C:\Windows\INF\WmiApRpl\WmiApRpl.ini

C:\Windows\Logs\SIH\SIH.20231128.112854.115.1.etl

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPF6E2.tmp

C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPFE60.tmp

C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab

Windows Analysis Report
rCOTA____OMAGNA.exe

Target ID:	157
Start time:	11:28:58
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xB9^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	164
Start time:	11:28:59
Start date:	28/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	173
Start time:	11:29:00
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xBD^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	180
Start time:	11:29:01
Start date:	28/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	187
Start time:	11:29:02
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xAA^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	196
Start time:	11:29:03
Start date:	28/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	203
Start time:	11:29:04
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0x82^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	211
Start time:	11:29:05
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xC7^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	218
Start time:	11:29:06
Start date:	28/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	225
Start time:	11:29:07
Start date:	28/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c set /a "0xCB^235"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true