Analysis
-
max time kernel
150s -
resource
win10v191014 -
submitted
08-01-2020 15:26
Task
task1
Sample
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
Resource
win10v191014
0 signatures
General
-
Target
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe
-
Sample
200108-d1xesb4fw2
-
SHA256
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execonhost.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 4816 wrote to memory of 4868 4816 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 5096 wrote to memory of 4416 5096 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 5096 wrote to memory of 4516 5096 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 5096 wrote to memory of 1628 5096 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe PID 4628 wrote to memory of 4184 4628 conhost.exe cmd.exe PID 4184 wrote to memory of 4176 4184 cmd.exe PING.EXE PID 4184 wrote to memory of 4140 4184 cmd.exe net.exe PID 4140 wrote to memory of 4008 4140 net.exe net1.exe PID 4628 wrote to memory of 4020 4628 conhost.exe cmd.exe PID 4020 wrote to memory of 4104 4020 cmd.exe PING.EXE PID 4020 wrote to memory of 3972 4020 cmd.exe net.exe PID 3972 wrote to memory of 4108 3972 net.exe net1.exe PID 4628 wrote to memory of 3724 4628 conhost.exe cmd.exe PID 3724 wrote to memory of 3984 3724 cmd.exe PING.EXE PID 3724 wrote to memory of 4124 3724 cmd.exe net.exe PID 4124 wrote to memory of 4732 4124 net.exe net1.exe PID 4628 wrote to memory of 2408 4628 conhost.exe cmd.exe PID 2408 wrote to memory of 2372 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 4736 2408 cmd.exe net.exe PID 4736 wrote to memory of 4776 4736 net.exe net1.exe PID 4628 wrote to memory of 4708 4628 conhost.exe cmd.exe PID 4708 wrote to memory of 4828 4708 cmd.exe PING.EXE PID 4708 wrote to memory of 4468 4708 cmd.exe net.exe PID 4468 wrote to memory of 4684 4468 net.exe net1.exe PID 4628 wrote to memory of 756 4628 conhost.exe cmd.exe PID 756 wrote to memory of 4856 756 cmd.exe PING.EXE PID 756 wrote to memory of 700 756 cmd.exe net.exe PID 700 wrote to memory of 4812 700 net.exe net1.exe PID 4628 wrote to memory of 4892 4628 conhost.exe cmd.exe PID 4892 wrote to memory of 4900 4892 cmd.exe PING.EXE PID 4892 wrote to memory of 4840 4892 cmd.exe net.exe PID 4840 wrote to memory of 4848 4840 net.exe net1.exe PID 4628 wrote to memory of 3332 4628 conhost.exe cmd.exe PID 3332 wrote to memory of 3528 3332 cmd.exe PING.EXE PID 3332 wrote to memory of 360 3332 cmd.exe net.exe PID 360 wrote to memory of 1988 360 net.exe net1.exe PID 4628 wrote to memory of 4980 4628 conhost.exe cmd.exe PID 4980 wrote to memory of 5020 4980 cmd.exe PING.EXE PID 4980 wrote to memory of 3596 4980 cmd.exe net.exe PID 3596 wrote to memory of 64 3596 net.exe net1.exe PID 4628 wrote to memory of 3292 4628 conhost.exe cmd.exe PID 3292 wrote to memory of 3464 3292 cmd.exe PING.EXE PID 3292 wrote to memory of 4520 3292 cmd.exe net.exe PID 4520 wrote to memory of 3668 4520 net.exe net1.exe PID 4628 wrote to memory of 3620 4628 conhost.exe cmd.exe PID 3620 wrote to memory of 4504 3620 cmd.exe PING.EXE PID 3620 wrote to memory of 4472 3620 cmd.exe net.exe PID 4472 wrote to memory of 4484 4472 net.exe net1.exe PID 4628 wrote to memory of 4508 4628 conhost.exe cmd.exe PID 4508 wrote to memory of 4044 4508 cmd.exe PING.EXE PID 4508 wrote to memory of 4380 4508 cmd.exe net.exe PID 4380 wrote to memory of 2076 4380 net.exe net1.exe PID 4628 wrote to memory of 4536 4628 conhost.exe cmd.exe PID 4536 wrote to memory of 4544 4536 cmd.exe PING.EXE PID 4536 wrote to memory of 4564 4536 cmd.exe net.exe PID 4564 wrote to memory of 3748 4564 net.exe net1.exe PID 4628 wrote to memory of 4228 4628 conhost.exe cmd.exe PID 4228 wrote to memory of 4172 4228 cmd.exe PING.EXE PID 4228 wrote to memory of 1712 4228 cmd.exe net.exe PID 1712 wrote to memory of 4132 1712 net.exe net1.exe PID 4628 wrote to memory of 3708 4628 conhost.exe cmd.exe PID 3708 wrote to memory of 4136 3708 cmd.exe PING.EXE PID 3708 wrote to memory of 1964 3708 cmd.exe net.exe PID 1964 wrote to memory of 4112 1964 net.exe net1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execonhost.exepid process 5096 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe 4628 conhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
cmd.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execmd.exedescription ioc process File renamed C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe => C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe cmd.exe File opened for modification C:\Windows\InstallUtil.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File opened for modification C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File created C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallState 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File deleted C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File deleted C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.InstallState 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File deleted C:\Windows\InstallUtil.InstallLog 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe File renamed C:\Windows\Temp\tmpD30F.tmp => C:\Windows\conhost.exe cmd.exe -
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4700 PING.EXE 3464 PING.EXE 4688 PING.EXE 3628 PING.EXE 4504 PING.EXE 2564 PING.EXE 4544 PING.EXE 4408 PING.EXE 3984 PING.EXE 504 PING.EXE 3120 PING.EXE 4544 PING.EXE 4176 PING.EXE 3416 PING.EXE 436 PING.EXE 1988 PING.EXE 2372 PING.EXE 444 PING.EXE 3400 PING.EXE 4988 PING.EXE 2224 PING.EXE 4980 PING.EXE 4900 PING.EXE 3528 PING.EXE 932 PING.EXE 2508 PING.EXE 4044 PING.EXE 1624 PING.EXE 2516 PING.EXE 784 PING.EXE 4540 PING.EXE 4172 PING.EXE 4172 PING.EXE 3684 PING.EXE 4992 PING.EXE 3436 PING.EXE 4812 PING.EXE 4472 PING.EXE 5020 PING.EXE 4948 PING.EXE 4136 PING.EXE 2112 PING.EXE 1620 PING.EXE 4704 PING.EXE 4444 PING.EXE 1264 PING.EXE 4708 PING.EXE 4880 PING.EXE 4828 PING.EXE 3464 PING.EXE 4836 PING.EXE 1448 PING.EXE 4104 PING.EXE 4856 PING.EXE 1620 PING.EXE 4892 PING.EXE 580 PING.EXE 4544 PING.EXE 2384 PING.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.execonhost.exedescription pid process Token: SeDebugPrivilege 4816 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Token: SeDebugPrivilege 4964 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Token: SeDebugPrivilege 5096 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Token: SeDebugPrivilege 4628 conhost.exe Token: 33 4628 conhost.exe Token: SeIncBasePriorityPrivilege 4628 conhost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cmd.exepid process 4868 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
conhost.exepid process 4628 conhost.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\AutoBackupLogFiles = "0" 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\csrss\EventMessageFile = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\EventLogMessages.dll" 30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe -
Runs net.exe 110 IoCs
Processes:
net.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exenet1.exepid process 4124 net.exe 4408 net.exe 2372 net.exe 4124 net.exe 3904 net.exe 4500 net.exe 3596 net.exe 1964 net.exe 1408 net.exe 4160 net.exe 4596 net.exe 4468 net.exe 4380 net.exe 4924 net.exe 4500 net.exe 4704 net.exe 3412 net.exe 4840 net.exe 4564 net.exe 300 net.exe 4816 net.exe 3800 net.exe 4140 net.exe 700 net.exe 3972 net.exe 432 net.exe 2184 net.exe 2428 net.exe 2404 net.exe 4472 net.exe 4820 net.exe 1988 net.exe 5000 net.exe 4520 net.exe 1712 net.exe 5016 net.exe 3208 net.exe 4796 net.exe 4412 net.exe 2228 net.exe 4580 net.exe 2592 net.exe 3444 net.exe 4468 net.exe 1984 net.exe 4020 net.exe 2392 net.exe 4428 net.exe 4824 net.exe 4756 net.exe 4736 net.exe 360 net.exe 1808 net.exe 3840 net.exe 5104 net.exe 688 net1.exe 3128 net1.exe 2684 net1.exe 4848 net1.exe 4112 net1.exe 4968 net1.exe 3748 net1.exe 1496 net1.exe 4264 net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ping 127.0.0.1 -n 3 > nul && move "C:\Users\Admin\AppData\Local\Temp\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe" "C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe" && start "" C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe && exit2⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exeC:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe3⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"C:\Windows\30cf8238f8cf6c84673248e969c727a6b6098050ff8962fb51af14612acc9beb.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ping 127.0.0.1 -n 1 > nul && del "C:\Windows\conhost".exe && exit2⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ping 127.0.0.1 -n 1 > nul && cd C:\Windows\TEMP && move "tmpD30F.tmp" "C:\Windows\conhost.exe" && exit2⤵
- Drops file in Windows directory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 13⤵
- Runs ping.exe
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ping 127.0.0.1 -n 2 > nul && start "" "C:\Windows\conhost.exe" nomLpvrwn+bYhunlL+B+QlB3CRqwJAl+ECjBTGCegLvDPermROFLZIyVEG890/b3LxqXVEMzIOWPbAtlo2HYdVQLotwEpEXuj+a0b7H6mIyWJavckjlozsFAZRq3Yfuv9bqgvwkeQs5dSmGCUIEtCGmINz/N1uPWvJOvzvojQOdeyKPgrfnNTpdoQ2enx/bNqweCryr2FN4uQNev8IXHWisdCME1z1/1OPBrmawROa2ervV+KmjerH3sMqYpVisLA0rAXUwQia3lZ1PD27QB9B/Bhw7QvuRvZH6OSRwnHcBGEqFisPuejgC7P3K5cAKGrx0udhzKFrHF/7SL/+iBfPxlmvmJuUlpe70oKVRglf4SuRIBu/QNgylyJJAvrlSOotFTivrTDVRdDF537Xyp+bPMUCzrxxL+QCTEf/0qvgAgXKe3U6ghSzId26SvHqlc8o6c9k8QYO7SyXQRPAVcPjYJ1DC4uTMpG6TtsCW/9JVZHQWWsV8Wp8H/6jy4ZvscncVAqZszmiHHOHsWlL8IOMzeMh3fSA9REEQ8W77WKcpp9lktjKCy2niPgdRY/Rkthzyj1EFBKs6/bwP+4LjwmYdGSCXvOBY1gp5tWmwlCEs= && exit2⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Windows\conhost.exe"C:\Windows\conhost.exe" nomLpvrwn+bYhunlL+B+QlB3CRqwJAl+ECjBTGCegLvDPermROFLZIyVEG890/b3LxqXVEMzIOWPbAtlo2HYdVQLotwEpEXuj+a0b7H6mIyWJavckjlozsFAZRq3Yfuv9bqgvwkeQs5dSmGCUIEtCGmINz/N1uPWvJOvzvojQOdeyKPgrfnNTpdoQ2enx/bNqweCryr2FN4uQNev8IXHWisdCME1z1/1OPBrmawROa2ervV+KmjerH3sMqYpVisLA0rAXUwQia3lZ1PD27QB9B/Bhw7QvuRvZH6OSRwnHcBGEqFisPuejgC7P3K5cAKGrx0udhzKFrHF/7SL/+iBfPxlmvmJuUlpe70oKVRglf4SuRIBu/QNgylyJJAvrlSOotFTivrTDVRdDF537Xyp+bPMUCzrxxL+QCTEf/0qvgAgXKe3U6ghSzId26SvHqlc8o6c9k8QYO7SyXQRPAVcPjYJ1DC4uTMpG6TtsCW/9JVZHQWWsV8Wp8H/6jy4ZvscncVAqZszmiHHOHsWlL8IOMzeMh3fSA9REEQ8W77WKcpp9lktjKCy2niPgdRY/Rkthzyj1EFBKs6/bwP+4LjwmYdGSCXvOBY1gp5tWmwlCEs=3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Suspicious use of WriteProcessMemory
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
- Runs net.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul && net start csrss && exit4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 15⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\net.exenet start csrss5⤵
- Runs net.exe
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start csrss6⤵