modiloader | 2e1b3dec1609efaee181ea5c2865ace9ac7be4b5ee8420a71ef9fff500440377

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7
submitted
19-07-2020 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0333d66ed3a4f516e75c4f17dc333c7a.exe
Size

752KB
MD5

0333d66ed3a4f516e75c4f17dc333c7a
SHA1

ec1302c115c1050bc0f58768f5fecd45783d9f6d
SHA256

2e1b3dec1609efaee181ea5c2865ace9ac7be4b5ee8420a71ef9fff500440377
SHA512

b88e3948f6abce5a883109173a163406884dd137ead0c4e48d75b2ea4f3ec419582d74dff7d4bdbb250108660aadf2b4c3063ec747f150535a339e323ffcfc5f

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2396	fodhelper.exe
2416	fodhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Bdbc = "C:\\Users\\Admin\\AppData\\Local\\Bdbc\\Bdbc.hta"	0333d66ed3a4f516e75c4f17dc333c7a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1144 set thread context of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2244	reg.exe
2268	reg.exe
2320	reg.exe

Suspicious use of WriteProcessMemory 527 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1144 wrote to memory of 1512	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	26
PID 1512 wrote to memory of 2204	1512	TapiUnattend.exe	29
PID 1512 wrote to memory of 2204	1512	TapiUnattend.exe	29
PID 1512 wrote to memory of 2204	1512	TapiUnattend.exe	29
PID 1512 wrote to memory of 2204	1512	TapiUnattend.exe	29
PID 2204 wrote to memory of 2244	2204	cmd.exe	32
PID 2204 wrote to memory of 2244	2204	cmd.exe	32
PID 2204 wrote to memory of 2244	2204	cmd.exe	32
PID 2204 wrote to memory of 2244	2204	cmd.exe	32
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 1144 wrote to memory of 2232	1144	0333d66ed3a4f516e75c4f17dc333c7a.exe	31
PID 2204 wrote to memory of 2268	2204	cmd.exe	33
PID 2204 wrote to memory of 2268	2204	cmd.exe	33
PID 2204 wrote to memory of 2268	2204	cmd.exe	33
PID 2204 wrote to memory of 2268	2204	cmd.exe	33
PID 2204 wrote to memory of 2292	2204	cmd.exe	34
PID 2204 wrote to memory of 2292	2204	cmd.exe	34
PID 2204 wrote to memory of 2292	2204	cmd.exe	34
PID 2204 wrote to memory of 2292	2204	cmd.exe	34
PID 2204 wrote to memory of 2320	2204	cmd.exe	35
PID 2204 wrote to memory of 2320	2204	cmd.exe	35
PID 2204 wrote to memory of 2320	2204	cmd.exe	35
PID 2204 wrote to memory of 2320	2204	cmd.exe	35
PID 1512 wrote to memory of 2356	1512	TapiUnattend.exe	36
PID 1512 wrote to memory of 2356	1512	TapiUnattend.exe	36
PID 1512 wrote to memory of 2356	1512	TapiUnattend.exe	36
PID 1512 wrote to memory of 2356	1512	TapiUnattend.exe	36

C:\Users\Admin\AppData\Local\Temp\0333d66ed3a4f516e75c4f17dc333c7a.exe
"C:\Users\Admin\AppData\Local\Temp\0333d66ed3a4f516e75c4f17dc333c7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Natso.bat
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2244
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
      4⤵
      Modifies registry key
      PID:2268
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Public\Runex.bat
    3⤵
    PID:2356
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2396
  - - C:\Windows \System32\fodhelper.exe
      "C:\Windows \System32\fodhelper.exe"
      4⤵
      Executes dropped EXE
      PID:2416
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-124-0x0000000050480000-0x00000000504C0000-memory.dmp

Filesize
256KB

Download
memory/2232-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2232-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads