modiloader | f3453d83f263aa7665cb7398e7216db55cb8d7d75b8d45cdaf889c9265ba72fb

Analysis

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7
submitted
18-07-2020 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11be16366d3bb6a869e752ff67c3d113.exe
Size

664KB
MD5

11be16366d3bb6a869e752ff67c3d113
SHA1

1e73a33ed28c80d38f0b4043122c3addcdcaa5e5
SHA256

f3453d83f263aa7665cb7398e7216db55cb8d7d75b8d45cdaf889c9265ba72fb
SHA512

83c75d5939ed70f30ee599cc073d6edb37835c12a6ea1be4426c98905f708aa69f12e3bf49f009db380873afefab372c9acfa0f432bb073174de6be737381950

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2424	fodhelper.exe
2444	fodhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Hjrb = "C:\\Users\\Admin\\AppData\\Local\\Hjrb\\Hjrb.hta"	11be16366d3bb6a869e752ff67c3d113.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2328	reg.exe
2340	reg.exe
2372	reg.exe

Suspicious use of WriteProcessMemory 527 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1460 wrote to memory of 1816	1460	11be16366d3bb6a869e752ff67c3d113.exe	26
PID 1816 wrote to memory of 2256	1816	TapiUnattend.exe	30
PID 1816 wrote to memory of 2256	1816	TapiUnattend.exe	30
PID 1816 wrote to memory of 2256	1816	TapiUnattend.exe	30
PID 1816 wrote to memory of 2256	1816	TapiUnattend.exe	30
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 1460 wrote to memory of 2248	1460	11be16366d3bb6a869e752ff67c3d113.exe	29
PID 2256 wrote to memory of 2328	2256	cmd.exe	32
PID 2256 wrote to memory of 2328	2256	cmd.exe	32
PID 2256 wrote to memory of 2328	2256	cmd.exe	32
PID 2256 wrote to memory of 2328	2256	cmd.exe	32
PID 2256 wrote to memory of 2340	2256	cmd.exe	33
PID 2256 wrote to memory of 2340	2256	cmd.exe	33
PID 2256 wrote to memory of 2340	2256	cmd.exe	33
PID 2256 wrote to memory of 2340	2256	cmd.exe	33
PID 2256 wrote to memory of 2352	2256	cmd.exe	34
PID 2256 wrote to memory of 2352	2256	cmd.exe	34
PID 2256 wrote to memory of 2352	2256	cmd.exe	34
PID 2256 wrote to memory of 2352	2256	cmd.exe	34
PID 2256 wrote to memory of 2372	2256	cmd.exe	35
PID 2256 wrote to memory of 2372	2256	cmd.exe	35
PID 2256 wrote to memory of 2372	2256	cmd.exe	35
PID 2256 wrote to memory of 2372	2256	cmd.exe	35
PID 1816 wrote to memory of 2384	1816	TapiUnattend.exe	36
PID 1816 wrote to memory of 2384	1816	TapiUnattend.exe	36
PID 1816 wrote to memory of 2384	1816	TapiUnattend.exe	36
PID 1816 wrote to memory of 2384	1816	TapiUnattend.exe	36

C:\Users\Admin\AppData\Local\Temp\11be16366d3bb6a869e752ff67c3d113.exe
"C:\Users\Admin\AppData\Local\Temp\11be16366d3bb6a869e752ff67c3d113.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Natso.bat
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2328
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
      4⤵
      Modifies registry key
      PID:2340
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      4⤵
      PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Runex.bat
    3⤵
    PID:2384
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2424
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2444
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-124-0x0000000050480000-0x00000000504C0000-memory.dmp

Filesize
256KB

Download
memory/2248-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2248-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads