bazarloader | e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e

Resubmissions

27/09/2020, 00:33

200927-n2q2v3n43s 6

10/09/2020, 08:49

200910-c8x1yrxskj 10

Analysis

max time kernel
76s
max time network
149s
platform
windows10_x64
resource
win10
submitted
10/09/2020, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe
Size

379KB
MD5

9f00d78f2e8e4523773a264f85be1c02
SHA1

3c542144a7a03134060bd666206a106bcea95e5a
SHA256

e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e
SHA512

5760967703d0702d4c855b75c895a2432c809ca8f945f2a80914f21b3c8129c4bbf155bac4bb5fa6b03e868b3d33cfbe1b3321a7b438741cd62d1c3323d38928

Score

10^/10

persistence loader dropper bazarloader backdoor bazarbackdoor

Malware Config

Signatures

Bazar Loader 14 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

description	flow	ioc	Process
HTTP User-Agent header	11	Win	Process not Found
HTTP User-Agent header	16	Win	Process not Found
HTTP URL	8	https://82.146.37.128/api/v153	Process not Found
HTTP User-Agent header	8	Win	Process not Found
HTTP URL	11	https://82.146.37.128/api/v154	Process not Found
HTTP User-Agent header	12	Win	Process not Found
HTTP URL	14	https://82.146.37.128/api/v156	Process not Found
File opened for modification		C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe
HTTP URL	13	https://82.146.37.128/api/v154	Process not Found
HTTP User-Agent header	13	Win	Process not Found
HTTP User-Agent header	15	Win	Process not Found
HTTP User-Agent header	17	Win	Process not Found
HTTP URL	12	https://82.146.37.128/api/v154	Process not Found
HTTP User-Agent header	14	Win	Process not Found

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Executes dropped EXE 1 IoCs

pid	Process
2716	arfgdcubgo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype Remote Control = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe"	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 3364	2716	arfgdcubgo.exe	80

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1904	timeout.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 252c80be4f87d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2992	svchost.exe
Token: SeCreatePagefilePrivilege	2992	svchost.exe

Suspicious use of WriteProcessMemory 827 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1612	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	76
PID 3024 wrote to memory of 1612	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	76
PID 1612 wrote to memory of 1904	1612	cmd.exe	78
PID 1612 wrote to memory of 1904	1612	cmd.exe	78
PID 3024 wrote to memory of 2716	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	79
PID 3024 wrote to memory of 2716	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	79
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	80

C:\Users\Admin\AppData\Local\Temp\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe
"C:\Users\Admin\AppData\Local\Temp\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c TIMEOUT /T 50 /NOBREAK && move "C:\Users\Admin\AppData\Local\Temp\dhcftxghsh" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Control Panel.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 50 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1904
- C:\Users\Admin\AppData\Local\Temp\arfgdcubgo.exe
  C:\Users\Admin\AppData\Local\Temp\arfgdcubgo.exe /NO_AUTOSTART 82.146.37.128
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Bazar Loader
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3024-0-0x00000000022E0000-0x0000000002313000-memory.dmp

Filesize
204KB

Download
memory/3024-1-0x0000000002320000-0x0000000002352000-memory.dmp

Filesize
200KB

Download
memory/3364-17-0x00007FF659960000-0x00007FF659A1D000-memory.dmp

Filesize
756KB

Download
memory/3364-19-0x00007FF659960000-0x00007FF659A1D000-memory.dmp

Filesize
756KB

Download