67cd7662deeed1102b7f13649eb7b5607e9bf12835ba9565021d153f119db538

Analysis

max time kernel
119s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a428e406ab80d87f74efb390b4d94ae1.exe
Size

131KB
MD5

a428e406ab80d87f74efb390b4d94ae1
SHA1

7292232ea20257a845306d51b4373c4c28cf54b1
SHA256

67cd7662deeed1102b7f13649eb7b5607e9bf12835ba9565021d153f119db538
SHA512

dcfa683783e1bf7b68dc80bc1f828c17509f01cc0c733519e6f1e228c34dd79a7d75638d546bea19cb4bc9d140ec7dd7c97371d2375fb872454e154f4562475f
SSDEEP

3072:OWzjnau3+YkhI9eswdOf/QB4KPmunzCjgziy2bJMFi8Wd:OSLaWwkAPxzGnLyF9u

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000600000002321b-13.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	a428e406ab80d87f74efb390b4d94ae1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	ronvtelrey.exe

Executes dropped EXE 64 IoCs

pid	Process
2520	ronvtelrey.exe
892	ronvtelrey.exe
3712	ronvtelrey.exe
3116	ronvtelrey.exe
3156	ronvtelrey.exe
2716	ronvtelrey.exe
1820	ronvtelrey.exe
4820	ronvtelrey.exe
2748	ronvtelrey.exe
1256	ronvtelrey.exe
1176	ronvtelrey.exe
3580	ronvtelrey.exe
2828	ronvtelrey.exe
3980	ronvtelrey.exe
2768	ronvtelrey.exe
3552	ronvtelrey.exe
4428	ronvtelrey.exe
1276	ronvtelrey.exe
3336	ronvtelrey.exe
1948	ronvtelrey.exe
4328	ronvtelrey.exe
2052	ronvtelrey.exe
3476	ronvtelrey.exe
844	ronvtelrey.exe
464	ronvtelrey.exe
1656	ronvtelrey.exe
2960	ronvtelrey.exe
1408	ronvtelrey.exe
3156	ronvtelrey.exe
1168	ronvtelrey.exe
4556	ronvtelrey.exe
3944	ronvtelrey.exe
2748	ronvtelrey.exe
3956	ronvtelrey.exe
2556	ronvtelrey.exe
2844	ronvtelrey.exe
3104	ronvtelrey.exe
2064	ronvtelrey.exe
4508	ronvtelrey.exe
4968	ronvtelrey.exe
1080	ronvtelrey.exe
4840	ronvtelrey.exe
648	ronvtelrey.exe
5016	ronvtelrey.exe
2860	ronvtelrey.exe
4404	ronvtelrey.exe
396	ronvtelrey.exe
64	ronvtelrey.exe
3928	ronvtelrey.exe
4476	ronvtelrey.exe
2020	ronvtelrey.exe
4384	ronvtelrey.exe
3816	ronvtelrey.exe
4892	ronvtelrey.exe
1656	ronvtelrey.exe
2380	ronvtelrey.exe
4100	ronvtelrey.exe
1820	ronvtelrey.exe
4092	ronvtelrey.exe
4652	ronvtelrey.exe
1356	ronvtelrey.exe
2792	ronvtelrey.exe
4116	ronvtelrey.exe
2384	ronvtelrey.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	a428e406ab80d87f74efb390b4d94ae1.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File opened for modification	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	ronvtelrey.exe
File created	C:\Windows\SysWOW64\ronvtelrey.exe	a428e406ab80d87f74efb390b4d94ae1.exe
File created	C:\Windows\SysWOW64\psapi.lib	ronvtelrey.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4152 set thread context of 1728	4152	a428e406ab80d87f74efb390b4d94ae1.exe	85
PID 2520 set thread context of 892	2520	ronvtelrey.exe	90
PID 3712 set thread context of 3116	3712	ronvtelrey.exe	93
PID 3156 set thread context of 2716	3156	ronvtelrey.exe	95
PID 1820 set thread context of 4820	1820	ronvtelrey.exe	98
PID 2748 set thread context of 1256	2748	ronvtelrey.exe	100
PID 1176 set thread context of 3580	1176	ronvtelrey.exe	102
PID 2828 set thread context of 3980	2828	ronvtelrey.exe	104
PID 2768 set thread context of 3552	2768	ronvtelrey.exe	106
PID 4428 set thread context of 1276	4428	ronvtelrey.exe	108
PID 3336 set thread context of 1948	3336	ronvtelrey.exe	110
PID 4328 set thread context of 2052	4328	ronvtelrey.exe	112
PID 3476 set thread context of 844	3476	ronvtelrey.exe	114
PID 464 set thread context of 1656	464	ronvtelrey.exe	116
PID 2960 set thread context of 1408	2960	ronvtelrey.exe	118
PID 3156 set thread context of 1168	3156	ronvtelrey.exe	120
PID 4556 set thread context of 3944	4556	ronvtelrey.exe	122
PID 2748 set thread context of 3956	2748	ronvtelrey.exe	124
PID 2556 set thread context of 2844	2556	ronvtelrey.exe	126
PID 3104 set thread context of 2064	3104	ronvtelrey.exe	128
PID 4508 set thread context of 4968	4508	ronvtelrey.exe	130
PID 1080 set thread context of 4840	1080	ronvtelrey.exe	132
PID 648 set thread context of 5016	648	ronvtelrey.exe	163
PID 2860 set thread context of 4404	2860	ronvtelrey.exe	166
PID 396 set thread context of 64	396	ronvtelrey.exe	167
PID 3928 set thread context of 4476	3928	ronvtelrey.exe	140
PID 2020 set thread context of 4384	2020	ronvtelrey.exe	142
PID 3816 set thread context of 4892	3816	ronvtelrey.exe	144
PID 1656 set thread context of 2380	1656	ronvtelrey.exe	176
PID 4100 set thread context of 1820	4100	ronvtelrey.exe	150
PID 4092 set thread context of 4652	4092	ronvtelrey.exe	151
PID 1356 set thread context of 2792	1356	ronvtelrey.exe	154
PID 4116 set thread context of 2384	4116	ronvtelrey.exe	184
PID 1268 set thread context of 2100	1268	ronvtelrey.exe	158
PID 1416 set thread context of 1928	1416	ronvtelrey.exe	160
PID 5004 set thread context of 2328	5004	ronvtelrey.exe	161
PID 5016 set thread context of 3488	5016	ronvtelrey.exe	164
PID 4404 set thread context of 3416	4404	ronvtelrey.exe	165
PID 64 set thread context of 568	64	ronvtelrey.exe	168
PID 2520 set thread context of 3672	2520	ronvtelrey.exe	170
PID 1716 set thread context of 892	1716	ronvtelrey.exe	202
PID 4628 set thread context of 4776	4628	ronvtelrey.exe	174
PID 4764 set thread context of 2380	4764	ronvtelrey.exe	176
PID 2668 set thread context of 4064	2668	ronvtelrey.exe	179
PID 2240 set thread context of 2896	2240	ronvtelrey.exe	181
PID 2828 set thread context of 3188	2828	ronvtelrey.exe	183
PID 2384 set thread context of 376	2384	ronvtelrey.exe	185
PID 1872 set thread context of 4968	1872	ronvtelrey.exe	187
PID 4716 set thread context of 4436	4716	ronvtelrey.exe	189
PID 2784 set thread context of 4720	2784	ronvtelrey.exe	190
PID 4188 set thread context of 3468	4188	ronvtelrey.exe	193
PID 3780 set thread context of 2484	3780	ronvtelrey.exe	195
PID 396 set thread context of 2052	396	ronvtelrey.exe	197
PID 2020 set thread context of 1516	2020	ronvtelrey.exe	199
PID 1344 set thread context of 3816	1344	ronvtelrey.exe	232
PID 892 set thread context of 3280	892	ronvtelrey.exe	203
PID 3392 set thread context of 1172	3392	ronvtelrey.exe	205
PID 1168 set thread context of 3548	1168	ronvtelrey.exe	206
PID 4000 set thread context of 3956	4000	ronvtelrey.exe	209
PID 1820 set thread context of 3764	1820	ronvtelrey.exe	211
PID 2804 set thread context of 2120	2804	ronvtelrey.exe	213
PID 3768 set thread context of 2228	3768	ronvtelrey.exe	215
PID 868 set thread context of 224	868	ronvtelrey.exe	217
PID 3644 set thread context of 4432	3644	ronvtelrey.exe	219

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ronvtelrey.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1728	a428e406ab80d87f74efb390b4d94ae1.exe
1728	a428e406ab80d87f74efb390b4d94ae1.exe
892	ronvtelrey.exe
892	ronvtelrey.exe
3116	ronvtelrey.exe
3116	ronvtelrey.exe
2716	ronvtelrey.exe
2716	ronvtelrey.exe
4820	ronvtelrey.exe
4820	ronvtelrey.exe
1256	ronvtelrey.exe
1256	ronvtelrey.exe
3580	ronvtelrey.exe
3580	ronvtelrey.exe
3980	ronvtelrey.exe
3980	ronvtelrey.exe
3552	ronvtelrey.exe
3552	ronvtelrey.exe
1276	ronvtelrey.exe
1276	ronvtelrey.exe
1948	ronvtelrey.exe
1948	ronvtelrey.exe
2052	ronvtelrey.exe
2052	ronvtelrey.exe
844	ronvtelrey.exe
844	ronvtelrey.exe
1656	ronvtelrey.exe
1656	ronvtelrey.exe
1408	ronvtelrey.exe
1408	ronvtelrey.exe
1168	ronvtelrey.exe
1168	ronvtelrey.exe
3944	ronvtelrey.exe
3944	ronvtelrey.exe
3956	ronvtelrey.exe
3956	ronvtelrey.exe
2844	ronvtelrey.exe
2844	ronvtelrey.exe
2064	ronvtelrey.exe
2064	ronvtelrey.exe
4968	ronvtelrey.exe
4968	ronvtelrey.exe
4840	ronvtelrey.exe
4840	ronvtelrey.exe
5016	ronvtelrey.exe
5016	ronvtelrey.exe
4404	ronvtelrey.exe
4404	ronvtelrey.exe
64	ronvtelrey.exe
64	ronvtelrey.exe
4476	ronvtelrey.exe
4476	ronvtelrey.exe
4384	ronvtelrey.exe
4384	ronvtelrey.exe
4892	ronvtelrey.exe
4892	ronvtelrey.exe
2380	ronvtelrey.exe
2380	ronvtelrey.exe
1820	ronvtelrey.exe
1820	ronvtelrey.exe
4652	ronvtelrey.exe
4652	ronvtelrey.exe
2792	ronvtelrey.exe
2792	ronvtelrey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 1728	4152	a428e406ab80d87f74efb390b4d94ae1.exe	85
PID 4152 wrote to memory of 1728	4152	a428e406ab80d87f74efb390b4d94ae1.exe	85
PID 4152 wrote to memory of 1728	4152	a428e406ab80d87f74efb390b4d94ae1.exe	85
PID 4152 wrote to memory of 1728	4152	a428e406ab80d87f74efb390b4d94ae1.exe	85
PID 4152 wrote to memory of 1728	4152	a428e406ab80d87f74efb390b4d94ae1.exe	85
PID 1728 wrote to memory of 2520	1728	a428e406ab80d87f74efb390b4d94ae1.exe	89
PID 1728 wrote to memory of 2520	1728	a428e406ab80d87f74efb390b4d94ae1.exe	89
PID 1728 wrote to memory of 2520	1728	a428e406ab80d87f74efb390b4d94ae1.exe	89
PID 2520 wrote to memory of 892	2520	ronvtelrey.exe	90
PID 2520 wrote to memory of 892	2520	ronvtelrey.exe	90
PID 2520 wrote to memory of 892	2520	ronvtelrey.exe	90
PID 2520 wrote to memory of 892	2520	ronvtelrey.exe	90
PID 2520 wrote to memory of 892	2520	ronvtelrey.exe	90
PID 892 wrote to memory of 3712	892	ronvtelrey.exe	92
PID 892 wrote to memory of 3712	892	ronvtelrey.exe	92
PID 892 wrote to memory of 3712	892	ronvtelrey.exe	92
PID 3712 wrote to memory of 3116	3712	ronvtelrey.exe	93
PID 3712 wrote to memory of 3116	3712	ronvtelrey.exe	93
PID 3712 wrote to memory of 3116	3712	ronvtelrey.exe	93
PID 3712 wrote to memory of 3116	3712	ronvtelrey.exe	93
PID 3712 wrote to memory of 3116	3712	ronvtelrey.exe	93
PID 3116 wrote to memory of 3156	3116	ronvtelrey.exe	94
PID 3116 wrote to memory of 3156	3116	ronvtelrey.exe	94
PID 3116 wrote to memory of 3156	3116	ronvtelrey.exe	94
PID 3156 wrote to memory of 2716	3156	ronvtelrey.exe	95
PID 3156 wrote to memory of 2716	3156	ronvtelrey.exe	95
PID 3156 wrote to memory of 2716	3156	ronvtelrey.exe	95
PID 3156 wrote to memory of 2716	3156	ronvtelrey.exe	95
PID 3156 wrote to memory of 2716	3156	ronvtelrey.exe	95
PID 2716 wrote to memory of 1820	2716	ronvtelrey.exe	97
PID 2716 wrote to memory of 1820	2716	ronvtelrey.exe	97
PID 2716 wrote to memory of 1820	2716	ronvtelrey.exe	97
PID 1820 wrote to memory of 4820	1820	ronvtelrey.exe	98
PID 1820 wrote to memory of 4820	1820	ronvtelrey.exe	98
PID 1820 wrote to memory of 4820	1820	ronvtelrey.exe	98
PID 1820 wrote to memory of 4820	1820	ronvtelrey.exe	98
PID 1820 wrote to memory of 4820	1820	ronvtelrey.exe	98
PID 4820 wrote to memory of 2748	4820	ronvtelrey.exe	99
PID 4820 wrote to memory of 2748	4820	ronvtelrey.exe	99
PID 4820 wrote to memory of 2748	4820	ronvtelrey.exe	99
PID 2748 wrote to memory of 1256	2748	ronvtelrey.exe	100
PID 2748 wrote to memory of 1256	2748	ronvtelrey.exe	100
PID 2748 wrote to memory of 1256	2748	ronvtelrey.exe	100
PID 2748 wrote to memory of 1256	2748	ronvtelrey.exe	100
PID 2748 wrote to memory of 1256	2748	ronvtelrey.exe	100
PID 1256 wrote to memory of 1176	1256	ronvtelrey.exe	101
PID 1256 wrote to memory of 1176	1256	ronvtelrey.exe	101
PID 1256 wrote to memory of 1176	1256	ronvtelrey.exe	101
PID 1176 wrote to memory of 3580	1176	ronvtelrey.exe	102
PID 1176 wrote to memory of 3580	1176	ronvtelrey.exe	102
PID 1176 wrote to memory of 3580	1176	ronvtelrey.exe	102
PID 1176 wrote to memory of 3580	1176	ronvtelrey.exe	102
PID 1176 wrote to memory of 3580	1176	ronvtelrey.exe	102
PID 3580 wrote to memory of 2828	3580	ronvtelrey.exe	103
PID 3580 wrote to memory of 2828	3580	ronvtelrey.exe	103
PID 3580 wrote to memory of 2828	3580	ronvtelrey.exe	103
PID 2828 wrote to memory of 3980	2828	ronvtelrey.exe	104
PID 2828 wrote to memory of 3980	2828	ronvtelrey.exe	104
PID 2828 wrote to memory of 3980	2828	ronvtelrey.exe	104
PID 2828 wrote to memory of 3980	2828	ronvtelrey.exe	104
PID 2828 wrote to memory of 3980	2828	ronvtelrey.exe	104
PID 3980 wrote to memory of 2768	3980	ronvtelrey.exe	105
PID 3980 wrote to memory of 2768	3980	ronvtelrey.exe	105
PID 3980 wrote to memory of 2768	3980	ronvtelrey.exe	105

C:\Users\Admin\AppData\Local\Temp\a428e406ab80d87f74efb390b4d94ae1.exe
"C:\Users\Admin\AppData\Local\Temp\a428e406ab80d87f74efb390b4d94ae1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\a428e406ab80d87f74efb390b4d94ae1.exe
  C:\Users\Admin\AppData\Local\Temp\a428e406ab80d87f74efb390b4d94ae1.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\ronvtelrey.exe
    "C:\Windows\system32\ronvtelrey.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\ronvtelrey.exe
      C:\Windows\SysWOW64\ronvtelrey.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2768
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3552
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4428
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3336
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4328
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3476
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:464
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2960
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        30⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3156
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4556
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2748
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2556
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3104
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4508
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1080
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4840
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:648
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        33⤵
        Checks computer location settings
        
        PID:3548
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        34⤵
        Suspicious use of SetThreadContext
        
        PID:4000
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        35⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        36⤵
        Suspicious use of SetThreadContext
        
        PID:1820
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        37⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        38⤵
        Suspicious use of SetThreadContext
        
        PID:2804
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        39⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        40⤵
        Suspicious use of SetThreadContext
        
        PID:3768
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        42⤵
        Suspicious use of SetThreadContext
        
        PID:868
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        43⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        44⤵
        Suspicious use of SetThreadContext
        
        PID:3644
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        45⤵
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        46⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        48⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        49⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        50⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        51⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        52⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        54⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        55⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        56⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        57⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        58⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        59⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        60⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        61⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        62⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        63⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        64⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        65⤵
        Checks computer location settings
        
        PID:2992
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        66⤵
        
        PID:404
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        67⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        68⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        70⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        71⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        72⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        74⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        75⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        76⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        78⤵
        
        PID:956
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        79⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        80⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        81⤵
        Checks computer location settings
        
        PID:1624
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        82⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        83⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        84⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        85⤵
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        86⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        87⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        88⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        90⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        91⤵
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        92⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        94⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        95⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        96⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        97⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        98⤵
        
        PID:768
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        100⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        101⤵
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        102⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        103⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        104⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        105⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        106⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        107⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        108⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        109⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        110⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        111⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        112⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        113⤵
        Checks computer location settings
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        114⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        115⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        116⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        117⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        118⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        119⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        120⤵
        
        PID:568
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        121⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        122⤵
        
        PID:652
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        123⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        124⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        125⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        126⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        127⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        128⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        129⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        130⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        131⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        132⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        133⤵
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        134⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        135⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        136⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        137⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        138⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        139⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        140⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        141⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        142⤵
        
        PID:408
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        143⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        144⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        145⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        146⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        147⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        148⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        149⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        150⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        151⤵
        
        PID:924
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        152⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        153⤵
        
        PID:5060

C:\Windows\SysWOW64\ronvtelrey.exe
C:\Windows\SysWOW64\ronvtelrey.exe
1⤵
PID:5016
- C:\Windows\SysWOW64\ronvtelrey.exe
  "C:\Windows\system32\ronvtelrey.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2860
- - C:\Windows\SysWOW64\ronvtelrey.exe
    C:\Windows\SysWOW64\ronvtelrey.exe
    3⤵
    PID:4404
  - - C:\Windows\SysWOW64\ronvtelrey.exe
      "C:\Windows\system32\ronvtelrey.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:396
    - - C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        5⤵
        
        PID:64
      - C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3928
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2020
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3816
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4892
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1656
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        13⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4100
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4092
  - - C:\Windows\SysWOW64\ronvtelrey.exe
      C:\Windows\SysWOW64\ronvtelrey.exe
      4⤵
      Checks computer location settings
      PID:3416
    - - C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:64
      - C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        6⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2520
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        8⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        9⤵
        Suspicious use of SetThreadContext
        
        PID:1716
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        10⤵
        
        PID:892
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        11⤵
        Suspicious use of SetThreadContext
        
        PID:4628
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        12⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        13⤵
        Suspicious use of SetThreadContext
        
        PID:4764
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        15⤵
        Suspicious use of SetThreadContext
        
        PID:2668
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        16⤵
        Checks computer location settings
        
        PID:4064
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        17⤵
        Suspicious use of SetThreadContext
        
        PID:2240
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        18⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        19⤵
        Suspicious use of SetThreadContext
        
        PID:2828
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        20⤵
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        22⤵
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        23⤵
        Suspicious use of SetThreadContext
        
        PID:1872
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        24⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        25⤵
        Suspicious use of SetThreadContext
        
        PID:4716
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        26⤵
        Checks computer location settings
        
        PID:4436
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        27⤵
        Suspicious use of SetThreadContext
        
        PID:2784

C:\Windows\SysWOW64\ronvtelrey.exe
C:\Windows\SysWOW64\ronvtelrey.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4652
- C:\Windows\SysWOW64\ronvtelrey.exe
  "C:\Windows\system32\ronvtelrey.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1356
- - C:\Windows\SysWOW64\ronvtelrey.exe
    C:\Windows\SysWOW64\ronvtelrey.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2792
  - - C:\Windows\SysWOW64\ronvtelrey.exe
      "C:\Windows\system32\ronvtelrey.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4116
    - - C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        5⤵
        
        PID:2384
      - C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:1268
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        7⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:1416
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5004

C:\Windows\SysWOW64\ronvtelrey.exe
C:\Windows\SysWOW64\ronvtelrey.exe
1⤵
- Checks computer location settings
PID:2328
- C:\Windows\SysWOW64\ronvtelrey.exe
  "C:\Windows\system32\ronvtelrey.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5016
- - C:\Windows\SysWOW64\ronvtelrey.exe
    C:\Windows\SysWOW64\ronvtelrey.exe
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:3488
  - - C:\Windows\SysWOW64\ronvtelrey.exe
      "C:\Windows\system32\ronvtelrey.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4404

C:\Windows\SysWOW64\ronvtelrey.exe
C:\Windows\SysWOW64\ronvtelrey.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4720
- C:\Windows\SysWOW64\ronvtelrey.exe
  "C:\Windows\system32\ronvtelrey.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:4188
- - C:\Windows\SysWOW64\ronvtelrey.exe
    C:\Windows\SysWOW64\ronvtelrey.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    PID:3468
  - - C:\Windows\SysWOW64\ronvtelrey.exe
      "C:\Windows\system32\ronvtelrey.exe"
      4⤵
      Suspicious use of SetThreadContext
      PID:3780
    - - C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2484
      - C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:396
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:2020
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        10⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        11⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        12⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        13⤵
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        14⤵
        Suspicious use of SetThreadContext
        
        PID:3392
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        15⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\ronvtelrey.exe
        
        "C:\Windows\system32\ronvtelrey.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\psapi.lib

Filesize
19KB

MD5
a5b1b1f7c2c51ff400d93ae63f484d96

SHA1
5f038003bf8851254ba577db5d8dfd69c1085c33

SHA256
35b1d2d2bc5c531d49aa3550de5c19bd5f4ebe79c594c6f5000d6de28b2621bf

SHA512
90c2145b39611bd1406c513dff16366a51e86e8831c34ab15f650e6620a75533e800db056dda2e7e176fac8b20cd0be76bc1725b45930b31595d4aac00da4eec

Download Submit
C:\Windows\SysWOW64\ronvtelrey.exe

Filesize
131KB

MD5
a428e406ab80d87f74efb390b4d94ae1

SHA1
7292232ea20257a845306d51b4373c4c28cf54b1

SHA256
67cd7662deeed1102b7f13649eb7b5607e9bf12835ba9565021d153f119db538

SHA512
dcfa683783e1bf7b68dc80bc1f828c17509f01cc0c733519e6f1e228c34dd79a7d75638d546bea19cb4bc9d140ec7dd7c97371d2375fb872454e154f4562475f

Download Submit
memory/464-187-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/464-190-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/844-182-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/844-186-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/892-51-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/892-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1168-220-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1168-216-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1176-104-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1176-107-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1256-99-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1256-103-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1276-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1276-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1408-209-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1408-205-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1656-198-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1656-193-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1728-49-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1728-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1728-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1728-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1820-82-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1820-84-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/1948-164-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1948-160-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2052-175-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2052-171-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2520-42-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2520-44-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2520-48-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2520-46-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2716-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2716-77-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2748-97-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2748-93-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2768-133-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2768-131-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2768-128-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2828-122-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2828-120-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2828-118-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2828-115-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2960-202-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/2960-199-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3116-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3116-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3156-72-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/3156-210-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3156-213-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3156-69-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3156-74-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3156-73-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/3336-153-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3336-157-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3476-180-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3476-178-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3552-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3552-135-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3580-114-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3580-110-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3712-58-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/3712-61-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/3712-56-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3712-63-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/3980-127-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3980-123-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4152-5-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4152-0-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/4152-4-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/4152-3-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4328-167-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/4328-165-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/4428-148-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/4428-144-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/4428-141-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/4428-146-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/4556-223-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/4556-227-0x0000000013140000-0x000000001316B000-memory.dmp

Filesize
172KB

Download
memory/4556-222-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/4820-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4820-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download