bitrat | 66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9874cdde692f485a1c609aeafd075c3.exe
Size

16.5MB
MD5

b9874cdde692f485a1c609aeafd075c3
SHA1

8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce
SHA256

66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb
SHA512

955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee
SSDEEP

98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh

Score

10^/10

bitrat hiverat quasar et rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

orcus.dyndns.org:1605

lsdw.dyndns.org:1606

labeokunta.dynnds.org:1606

xpert.dyndns.biz:1605

qz.dyndns.org:1605

imageline.dyndns.org:1606

kontakt-update.selfip.net:1606

Mutex

QSR_MUTEX_X8N0tEAk1p1Gbe9ioj

Attributes

encryption_key
jVpAHlJqCIQYSDZsOYMx
install_name
Client.exe
log_directory
db.xlm
reconnect_delay
30000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

bitrat

Version

1.38

hiv.dyndns.org:2222

Attributes

communication_password
194dd40edef1873b88c241057bb55f1b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

PING.EXE

flow ioc

60 ip-api.com
2724 PING.EXE
101 ip-api.com

flow	ioc
60	ip-api.com
2724	PING.EXE
101	ip-api.com

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4336-5-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

HiveRAT payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4352-6-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-9-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-23-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-19-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-25-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-27-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-36-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-42-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-44-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/4352-46-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral2/memory/2484-134-0x0000000001550000-0x00000000015DE000-memory.dmp	family_hiverat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	b9874cdde692f485a1c609aeafd075c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	b9874cdde692f485a1c609aeafd075c3.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

60 ip-api.com
101 ip-api.com

flow	ioc
60	ip-api.com
101	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

b9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exe

pid	process
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
384	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

b9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exe

description	pid	process	target process
PID 3244 set thread context of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 set thread context of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 set thread context of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 set thread context of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 set thread context of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 set thread context of 384	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5060 4336 WerFault.exe b9874cdde692f485a1c609aeafd075c3.exe
4860 4312 WerFault.exe b9874cdde692f485a1c609aeafd075c3.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2724 PING.EXE
4940 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b9874cdde692f485a1c609aeafd075c3.exe

pid process

4352 b9874cdde692f485a1c609aeafd075c3.exe

pid	pid_target	process	target process
5060	4336	WerFault.exe	b9874cdde692f485a1c609aeafd075c3.exe
4860	4312	WerFault.exe	b9874cdde692f485a1c609aeafd075c3.exe

pid	process
2724	PING.EXE
4940	PING.EXE

pid	process
4352	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

b9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exe

description	pid	process
Token: SeDebugPrivilege	4352	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeShutdownPrivilege	3516	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeDebugPrivilege	4336	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeDebugPrivilege	2484	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeDebugPrivilege	4312	b9874cdde692f485a1c609aeafd075c3.exe
Token: SeShutdownPrivilege	384	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.exe

pid	process
3516	b9874cdde692f485a1c609aeafd075c3.exe
3516	b9874cdde692f485a1c609aeafd075c3.exe
4336	b9874cdde692f485a1c609aeafd075c3.exe
4312	b9874cdde692f485a1c609aeafd075c3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9874cdde692f485a1c609aeafd075c3.exeb9874cdde692f485a1c609aeafd075c3.execmd.exeb9874cdde692f485a1c609aeafd075c3.exe

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Quasar RAT
- Runs ping.exe
PID:2724

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vemGXra0EGNF.bat" "
6⤵
PID:1228

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:1060

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 2248
6⤵
- Program crash
PID:4860

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 2216
3⤵
- Program crash
PID:5060

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe
"C:\Users\Admin\AppData\Local\Temp\b9874cdde692f485a1c609aeafd075c3.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4336 -ip 4336
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4312 -ip 4312
1⤵
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b9874cdde692f485a1c609aeafd075c3.exe.log
Filesize
323B

MD5
4af72c00db90b95c23cc32823c5b0453

SHA1
80f3754f05c09278987cba54e34b76f1ddbee5fd

SHA256
5a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d

SHA512
47aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat
Filesize
229B

MD5
ade7d46d917f5b9c7d7783b244e82b79

SHA1
58fbb677f535c6215b3175e369379fa374591bff

SHA256
9a900ccbb36e27c0d68bf459c31c58961b3c4d05a18ed7893afa2629c914e7cb

SHA512
0d07599848acfe2809ce72bfad58ad834b84536e5f8bc6b9b6e1afe3f62dfda7f7ffc0c9f135b110a52d7a209adcd6cb54eba1e41aa3bf8b34912398fd52f0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vemGXra0EGNF.bat
Filesize
229B

MD5
d642bdd074037e7d4b23e7cf6652fd46

SHA1
eba2d857a6afb55270d6bc43224d5131cfcafe41

SHA256
23915628456f16ac12b6dc31a4e814379b33424bd555be010842360fd1c33b5f

SHA512
512f4e181d12a348cb17a4f7d2c65b9c8f6323b858247b05de472f8ebc4598dc6afe3c96192efad7f102cd62c6f095c17e6388a6bc3d3cf34316d0715cda3b69

Download Submit
C:\Users\Admin\AppData\Roaming\db.xlm\03-07-2024
Filesize
224B

MD5
b406aa4ee7f4bff372859eed790329d1

SHA1
426527561522ea4e846ddad0d0ecc269cd616228

SHA256
8a2bf4593a08843ff796bcfc951859dca414d0572d0ab661d03c5ac2fe7ce0fd

SHA512
84fde5df3ae7c793b58a42be2913c9f58015432a66da00fc279eef4fe5f4a520aafec1eec86910f503f135df2725ced5de254d8c04a0e75e0b7c34fc43abc6ed

Download Submit
memory/384-120-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/384-193-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/384-191-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/2484-133-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2484-182-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2484-181-0x00000000059F0000-0x0000000005A00000-memory.dmp

Filesize
64KB

Download
memory/2484-134-0x0000000001550000-0x00000000015DE000-memory.dmp

Filesize
568KB

Download
memory/3244-4-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/3244-3-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3244-2-0x0000000006790000-0x000000000682C000-memory.dmp

Filesize
624KB

Download
memory/3244-0-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3244-16-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3244-1-0x0000000000D50000-0x0000000001DDC000-memory.dmp

Filesize
16.5MB

Download
memory/3516-100-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-196-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-84-0x0000000070990000-0x00000000709C9000-memory.dmp

Filesize
228KB

Download
memory/3516-107-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-104-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-97-0x0000000075900000-0x0000000075939000-memory.dmp

Filesize
228KB

Download
memory/3516-62-0x0000000071C80000-0x0000000071CB9000-memory.dmp

Filesize
228KB

Download
memory/3516-94-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-78-0x0000000070C00000-0x0000000070C39000-memory.dmp

Filesize
228KB

Download
memory/3516-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3516-92-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3668-93-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3668-101-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/3668-119-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4312-112-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4312-115-0x0000000006680000-0x0000000006690000-memory.dmp

Filesize
64KB

Download
memory/4312-189-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4336-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4336-22-0x00000000064A0000-0x00000000064B0000-memory.dmp

Filesize
64KB

Download
memory/4336-81-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/4336-79-0x00000000076D0000-0x000000000770C000-memory.dmp

Filesize
240KB

Download
memory/4336-89-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4336-63-0x0000000007050000-0x0000000007062000-memory.dmp

Filesize
72KB

Download
memory/4336-12-0x0000000006880000-0x0000000006E24000-memory.dmp

Filesize
5.6MB

Download
memory/4336-11-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4336-31-0x0000000006410000-0x0000000006476000-memory.dmp

Filesize
408KB

Download
memory/4336-15-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/4352-96-0x0000000006260000-0x0000000006270000-memory.dmp

Filesize
64KB

Download
memory/4352-27-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-36-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-42-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-44-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-46-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-17-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4352-23-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-9-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-25-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-70-0x0000000006260000-0x0000000006270000-memory.dmp

Filesize
64KB

Download
memory/4352-6-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4352-90-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4352-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download

description	pid	process	target process
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4336	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 4352	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3244 wrote to memory of 3516	3244	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 4336 wrote to memory of 2936	4336	b9874cdde692f485a1c609aeafd075c3.exe	cmd.exe
PID 4336 wrote to memory of 2936	4336	b9874cdde692f485a1c609aeafd075c3.exe	cmd.exe
PID 4336 wrote to memory of 2936	4336	b9874cdde692f485a1c609aeafd075c3.exe	cmd.exe
PID 2936 wrote to memory of 400	2936	cmd.exe	chcp.com
PID 2936 wrote to memory of 400	2936	cmd.exe	chcp.com
PID 2936 wrote to memory of 400	2936	cmd.exe	chcp.com
PID 2936 wrote to memory of 2724	2936	cmd.exe	PING.EXE
PID 2936 wrote to memory of 2724	2936	cmd.exe	PING.EXE
PID 2936 wrote to memory of 2724	2936	cmd.exe	PING.EXE
PID 2936 wrote to memory of 3668	2936	cmd.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 2936 wrote to memory of 3668	2936	cmd.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 2936 wrote to memory of 3668	2936	cmd.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 4312	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe
PID 3668 wrote to memory of 2484	3668	b9874cdde692f485a1c609aeafd075c3.exe	b9874cdde692f485a1c609aeafd075c3.exe