njrat | d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

Analysis

max time kernel
156s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
Size

151KB
MD5

8f84ba13287f7ee0c93789149019d804
SHA1

ed79b8478aa8616336e7611f2ba26ce49cc8e501
SHA256

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659
SHA512

4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa
SSDEEP

3072:tWudTyuuyrJ3BWIFUU99A5YzB/0V2DFP3IsS1PbQp+KQ:TiyrdrU498KpPrMbv

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

visichatrooms.no-ip.info:92

Mutex

8f804de644157aa7bac4cf1736c75287

Attributes

reg_key
8f804de644157aa7bac4cf1736c75287
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

304 svchost.exe
1356 svchost.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1792 netsh.exe

pid	process
304	svchost.exe
1356	svchost.exe

pid	process
1792	netsh.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f804de644157aa7bac4cf1736c75287.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8f804de644157aa7bac4cf1736c75287.exe	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

pid	process
1168	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1168	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\side = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\side.exe"	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\side = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\side.exe"	svchost.exe

Suspicious use of SetThreadContext 21 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exe

pid	process
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
304	svchost.exe
1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
Token: SeDebugPrivilege	304	svchost.exe
Token: SeDebugPrivilege	1356	svchost.exe
Token: 33	1356	svchost.exe
Token: SeIncBasePriorityPrivilege	1356	svchost.exe
Token: 33	1356	svchost.exe
Token: SeIncBasePriorityPrivilege	1356	svchost.exe
Token: 33	1356	svchost.exe
Token: SeIncBasePriorityPrivilege	1356	svchost.exe
Token: 33	1356	svchost.exe
Token: SeIncBasePriorityPrivilege	1356	svchost.exe
Token: 33	1356	svchost.exe
Token: SeIncBasePriorityPrivilege	1356	svchost.exe
Token: 33	1356	svchost.exe
Token: SeIncBasePriorityPrivilege	1356	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exed371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exesvchost.exe

description	pid	process	target process
PID 1196 wrote to memory of 984	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 984	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 984	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 984	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 1964	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 1964	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 1964	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 1964	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	CMD.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1168 wrote to memory of 304	1168	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	svchost.exe
PID 1168 wrote to memory of 304	1168	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	svchost.exe
PID 1168 wrote to memory of 304	1168	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	svchost.exe
PID 1168 wrote to memory of 304	1168	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	svchost.exe
PID 304 wrote to memory of 1144	304	svchost.exe	CMD.exe
PID 304 wrote to memory of 1144	304	svchost.exe	CMD.exe
PID 304 wrote to memory of 1144	304	svchost.exe	CMD.exe
PID 304 wrote to memory of 1144	304	svchost.exe	CMD.exe
PID 304 wrote to memory of 1088	304	svchost.exe	CMD.exe
PID 304 wrote to memory of 1088	304	svchost.exe	CMD.exe
PID 304 wrote to memory of 1088	304	svchost.exe	CMD.exe
PID 304 wrote to memory of 1088	304	svchost.exe	CMD.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 wrote to memory of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe
PID 304 wrote to memory of 1356	304	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:984

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\CMD.exe
"CMD"
4⤵
PID:1144

C:\Windows\SysWOW64\CMD.exe
"CMD"
4⤵
PID:1088

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:1792

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
"C:\Users\Admin\AppData\Local\Temp\d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe"
2⤵
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\side.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\side.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
151KB

MD5
8f84ba13287f7ee0c93789149019d804

SHA1
ed79b8478aa8616336e7611f2ba26ce49cc8e501

SHA256
d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659

SHA512
4702ac59dfcb6ab95ea02ceb9943baec3afeb38c03cc748fc6a6af2de3d0ab84e90a6a4b142caf842f42433ef8bde6ee8032955a80a0282a0ed12a9b5f5543fa

Download Submit
memory/304-95-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/304-75-0x0000000000000000-mapping.dmp

Download
memory/304-124-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/336-213-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/336-212-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/336-206-0x000000000040749E-mapping.dmp

Download
memory/836-255-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/836-248-0x000000000040749E-mapping.dmp

Download
memory/836-254-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/896-147-0x000000000040749E-mapping.dmp

Download
memory/896-153-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/896-156-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/900-262-0x000000000040749E-mapping.dmp

Download
memory/900-268-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/900-269-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/984-55-0x0000000000000000-mapping.dmp

Download
memory/1088-81-0x0000000000000000-mapping.dmp

Download
memory/1144-80-0x0000000000000000-mapping.dmp

Download
memory/1168-66-0x000000000040749E-mapping.dmp

Download
memory/1168-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-72-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-79-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1168-70-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1196-56-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-59-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1204-296-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-290-0x000000000040749E-mapping.dmp

Download
memory/1204-297-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-118-0x000000000040749E-mapping.dmp

Download
memory/1320-125-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-140-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-227-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-226-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-220-0x000000000040749E-mapping.dmp

Download
memory/1356-184-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-132-0x000000000040749E-mapping.dmp

Download
memory/1356-139-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1392-304-0x000000000040749E-mapping.dmp

Download
memory/1392-310-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1392-311-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-360-0x000000000040749E-mapping.dmp

Download
memory/1524-170-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-169-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1524-163-0x000000000040749E-mapping.dmp

Download
memory/1552-96-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-97-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-89-0x000000000040749E-mapping.dmp

Download
memory/1568-339-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-338-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-332-0x000000000040749E-mapping.dmp

Download
memory/1696-324-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-325-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-318-0x000000000040749E-mapping.dmp

Download
memory/1732-276-0x000000000040749E-mapping.dmp

Download
memory/1732-282-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-283-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-154-0x0000000000000000-mapping.dmp

Download
memory/1880-353-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-346-0x000000000040749E-mapping.dmp

Download
memory/1880-352-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-185-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-183-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-177-0x000000000040749E-mapping.dmp

Download
memory/1964-57-0x0000000000000000-mapping.dmp

Download
memory/1968-198-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-199-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-192-0x000000000040749E-mapping.dmp

Download
memory/2012-241-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-240-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-234-0x000000000040749E-mapping.dmp

Download
memory/2044-104-0x000000000040749E-mapping.dmp

Download
memory/2044-110-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/2044-111-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1196 set thread context of 1168	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1552	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 2044	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1320	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 304 set thread context of 1356	304	svchost.exe	svchost.exe
PID 1196 set thread context of 896	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1524	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1884	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1968	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 336	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1328	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 2012	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 836	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 900	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1732	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1204	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1392	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1696	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1568	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1880	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe
PID 1196 set thread context of 1512	1196	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe	d371c690a44298c201a1ccabfc1b95b0b6a6ea4173500a23ec57093b0d039659.exe