modiloader | 2e1b3dec1609efaee181ea5c2865ace9ac7be4b5ee8420a71ef9fff500440377

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10
submitted
19-07-2020 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0333d66ed3a4f516e75c4f17dc333c7a.exe
Size

752KB
MD5

0333d66ed3a4f516e75c4f17dc333c7a
SHA1

ec1302c115c1050bc0f58768f5fecd45783d9f6d
SHA256

2e1b3dec1609efaee181ea5c2865ace9ac7be4b5ee8420a71ef9fff500440377
SHA512

b88e3948f6abce5a883109173a163406884dd137ead0c4e48d75b2ea4f3ec419582d74dff7d4bdbb250108660aadf2b4c3063ec747f150535a339e323ffcfc5f

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ServiceHost packer 123 IoCs

Detects ServiceHost packer used for .NET malware

resource	yara_rule
behavioral2/memory/3784-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-6-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-7-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-8-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-9-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-10-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-11-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-12-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-14-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-15-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-16-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-17-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-23-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-25-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-26-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-27-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-28-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-29-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-30-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-36-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-40-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-41-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-43-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-44-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-45-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-46-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-47-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-48-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-49-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-50-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-51-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-52-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-53-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-54-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-55-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-56-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-57-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-58-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-59-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-60-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-61-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-62-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-63-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-64-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-65-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-66-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-67-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-68-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-69-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-70-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-71-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-72-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-73-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-74-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-75-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-76-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-77-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-78-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-79-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-80-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-81-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-82-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-83-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-84-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-85-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-86-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-87-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-88-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-89-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-90-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-91-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-92-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-93-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-94-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-95-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-96-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-97-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-98-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-99-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-100-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-101-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-102-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-103-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-104-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-105-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-106-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-107-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-108-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-109-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-110-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-111-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-112-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-113-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-114-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-115-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-116-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-117-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-118-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-119-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-120-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-121-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-122-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-123-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/3784-125-0x0000000000000000-mapping.dmp	servicehost

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdbc = "C:\\Users\\Admin\\AppData\\Local\\Bdbc\\Bdbc.hta"	0333d66ed3a4f516e75c4f17dc333c7a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 3932	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	72

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2596	reg.exe
1796	reg.exe
3628	reg.exe

Suspicious use of WriteProcessMemory 513 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 2976 wrote to memory of 3784	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	67
PID 3784 wrote to memory of 1232	3784	TapiUnattend.exe	71
PID 3784 wrote to memory of 1232	3784	TapiUnattend.exe	71
PID 3784 wrote to memory of 1232	3784	TapiUnattend.exe	71
PID 2976 wrote to memory of 3932	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	72
PID 2976 wrote to memory of 3932	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	72
PID 2976 wrote to memory of 3932	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	72
PID 2976 wrote to memory of 3932	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	72
PID 2976 wrote to memory of 3932	2976	0333d66ed3a4f516e75c4f17dc333c7a.exe	72
PID 1232 wrote to memory of 2596	1232	cmd.exe	74
PID 1232 wrote to memory of 2596	1232	cmd.exe	74
PID 1232 wrote to memory of 2596	1232	cmd.exe	74
PID 1232 wrote to memory of 1796	1232	cmd.exe	75
PID 1232 wrote to memory of 1796	1232	cmd.exe	75
PID 1232 wrote to memory of 1796	1232	cmd.exe	75
PID 1232 wrote to memory of 1452	1232	cmd.exe	76
PID 1232 wrote to memory of 1452	1232	cmd.exe	76
PID 1232 wrote to memory of 1452	1232	cmd.exe	76
PID 1232 wrote to memory of 3628	1232	cmd.exe	77
PID 1232 wrote to memory of 3628	1232	cmd.exe	77
PID 1232 wrote to memory of 3628	1232	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\0333d66ed3a4f516e75c4f17dc333c7a.exe
"C:\Users\Admin\AppData\Local\Temp\0333d66ed3a4f516e75c4f17dc333c7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\TapiUnattend.exe
  "C:\Windows\System32\TapiUnattend.exe"
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:2596
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
      4⤵
      Modifies registry key
      PID:1796
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      reg delete hkcu\Environment /v windir /f
      4⤵
      Modifies registry key
      PID:3628
- C:\Program Files (x86)\internet explorer\ieinstal.exe
  "C:\Program Files (x86)\internet explorer\ieinstal.exe"
  2⤵
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-124-0x0000000050480000-0x00000000504C0000-memory.dmp

Filesize
256KB

Download
memory/3932-127-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3932-129-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads