modiloader | e67dd040ce53fbf4e0ef2121dabd060c5c764ede3eec55801376b144a0f40419

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7v200430
submitted
08/07/2020, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de2ebb27023e08b71d091c7695c59192.exe
Size

649KB
MD5

de2ebb27023e08b71d091c7695c59192
SHA1

6b5d2d11a1b712b38d6d699612cdd66fcc755db8
SHA256

e67dd040ce53fbf4e0ef2121dabd060c5c764ede3eec55801376b144a0f40419
SHA512

39c16d7f3672c6ee3c848e898a56b678bc7127ed1af0984a726a4557d8cd73ee96cdea1aa97f79e92680acfed7f666fd35e9f456acf15a54308cbc0eedc99071

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
1644	fodhelper.exe
1196	fodhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qgnh = "C:\\Users\\Admin\\AppData\\Local\\Qgnh\\Qgnh.hta"	de2ebb27023e08b71d091c7695c59192.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
1556	reg.exe
1044	reg.exe
1452	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1072	ieinstal.exe

Suspicious use of WriteProcessMemory 537 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1388 wrote to memory of 1328	1388	de2ebb27023e08b71d091c7695c59192.exe	26
PID 1328 wrote to memory of 1816	1328	TapiUnattend.exe	29
PID 1328 wrote to memory of 1816	1328	TapiUnattend.exe	29
PID 1328 wrote to memory of 1816	1328	TapiUnattend.exe	29
PID 1328 wrote to memory of 1816	1328	TapiUnattend.exe	29
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1388 wrote to memory of 1072	1388	de2ebb27023e08b71d091c7695c59192.exe	30
PID 1816 wrote to memory of 1556	1816	cmd.exe	32
PID 1816 wrote to memory of 1556	1816	cmd.exe	32
PID 1816 wrote to memory of 1556	1816	cmd.exe	32
PID 1816 wrote to memory of 1556	1816	cmd.exe	32
PID 1816 wrote to memory of 1044	1816	cmd.exe	33
PID 1816 wrote to memory of 1044	1816	cmd.exe	33
PID 1816 wrote to memory of 1044	1816	cmd.exe	33
PID 1816 wrote to memory of 1044	1816	cmd.exe	33
PID 1816 wrote to memory of 736	1816	cmd.exe	34
PID 1816 wrote to memory of 736	1816	cmd.exe	34
PID 1816 wrote to memory of 736	1816	cmd.exe	34
PID 1816 wrote to memory of 736	1816	cmd.exe	34
PID 1816 wrote to memory of 1452	1816	cmd.exe	35
PID 1816 wrote to memory of 1452	1816	cmd.exe	35
PID 1816 wrote to memory of 1452	1816	cmd.exe	35
PID 1816 wrote to memory of 1452	1816	cmd.exe	35
PID 1328 wrote to memory of 1528	1328	TapiUnattend.exe	36
PID 1328 wrote to memory of 1528	1328	TapiUnattend.exe	36
PID 1328 wrote to memory of 1528	1328	TapiUnattend.exe	36
PID 1328 wrote to memory of 1528	1328	TapiUnattend.exe	36

C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe
"C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Natso.bat
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
      4⤵
      Modifies registry key
      PID:1044
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      4⤵
      PID:736
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Runex.bat
    3⤵
    PID:1528
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:1644
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:1196
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-130-0x0000000010530000-0x0000000010554000-memory.dmp

Filesize
144KB

Download
memory/1388-124-0x0000000010410000-0x0000000010450000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads