remcos | 72a61910d0ce3c1796c072b1b7a14574918d3b1e5d5b23727ca8d55473ac3d57

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
Size

95KB
MD5

50cf2b84679ea401530b7e30d16f166b
SHA1

1720348ae4b55ce19a252e2161c6eb0684ebea10
SHA256

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd
SHA512

273a2fe9402a237314dce9937a1ec0c36cdcef8a0e2820dcaf40382061fa7fc85ef9df7bfba0b237b40eb10d4ecc236eb650f528400860dd309666c1a1d519b1
SSDEEP

1536:mOhzJDZr9BzDNATEk9UbTV0+gRLVNI6e:lhzbrjDNATEkebh0BRk6e

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.173.62.181:17120

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F9ZGZ8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/1732-43-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
behavioral2/memory/1732-38-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView

resource	yara_rule
behavioral2/memory/1732-43-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/1732-38-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2676-44-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2676-40-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2676-49-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2676-44-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1732-43-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4568-42-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2676-40-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1732-38-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2676-49-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd = "C:\\Users\\Admin\\Documents\\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.pif"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

description	pid	process	target process
PID 2284 set thread context of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 set thread context of 2676	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 set thread context of 1732	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 set thread context of 4568	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

pid	process
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2676	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2676	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
4568	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
4568	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2676	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
2676	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

pid	process
3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

description	pid	process
Token: SeDebugPrivilege	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
Token: SeDebugPrivilege	4568	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

pid process

3404 0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.execmd.exe0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
"C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd" /t REG_SZ /F /D "C:\Users\Admin\Documents\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.pif"
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd" /t REG_SZ /F /D "C:\Users\Admin\Documents\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.pif"
3⤵
- Adds Run key to start application
PID:3468

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe" "C:\Users\Admin\Documents\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.pif"
2⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
"C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe"
2⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
"C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe /stext "C:\Users\Admin\AppData\Local\Temp\xineupuulogrsbmqpqbekenqfkvutcgdpv"
3⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe /stext "C:\Users\Admin\AppData\Local\Temp\xineupuulogrsbmqpqbekenqfkvutcgdpv"
3⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe /stext "C:\Users\Admin\AppData\Local\Temp\xineupuulogrsbmqpqbekenqfkvutcgdpv"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe /stext "C:\Users\Admin\AppData\Local\Temp\zctxvi"
3⤵
- Accesses Microsoft Outlook accounts
PID:1732

C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
C:\Users\Admin\AppData\Local\Temp\0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe /stext "C:\Users\Admin\AppData\Local\Temp\keyiwsxpue"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
847dee14224d9e9b8d161598a1ff0483

SHA1
7d7d82c5fa1d241b8416f07c5e824e0faffe9f04

SHA256
36b399a7af753bad98a2fa8cce5abed38cb01beb4c9af5c52cb3c092a9fa5f42

SHA512
7dc17f85a2af41ec3504501772c9ed5e5ca7113f2cd17812b39ae82aa71287de1bc251cbbc053f7484d0f69ffb51bb5361b06217d212a292923383bf040647a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xineupuulogrsbmqpqbekenqfkvutcgdpv
Filesize
4KB

MD5
73ddf6cd83c2ad8a2fbb2383e322ffbc

SHA1
05270f8bb7b5cc6ab9a61ae7453d047379089147

SHA256
0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409

SHA512
714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

Download Submit
memory/1732-43-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-38-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1732-34-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2284-4-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/2284-7-0x0000000006930000-0x00000000069CC000-memory.dmp

Filesize
624KB

Download
memory/2284-8-0x00000000069D0000-0x0000000006A36000-memory.dmp

Filesize
408KB

Download
memory/2284-6-0x0000000006710000-0x0000000006792000-memory.dmp

Filesize
520KB

Download
memory/2284-5-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2284-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/2284-3-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/2284-21-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2284-2-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/2284-1-0x00000000006C0000-0x00000000006DE000-memory.dmp

Filesize
120KB

Download
memory/2676-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2676-32-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2676-37-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2676-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2676-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3404-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-51-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3404-55-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3404-54-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3404-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3404-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4568-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4568-41-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4568-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

description	pid	process	target process
PID 2284 wrote to memory of 2664	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	cmd.exe
PID 2284 wrote to memory of 2664	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	cmd.exe
PID 2284 wrote to memory of 2664	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	cmd.exe
PID 2664 wrote to memory of 3468	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 3468	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 3468	2664	cmd.exe	reg.exe
PID 2284 wrote to memory of 4372	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	cmd.exe
PID 2284 wrote to memory of 4372	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	cmd.exe
PID 2284 wrote to memory of 4372	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	cmd.exe
PID 2284 wrote to memory of 4704	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 4704	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 4704	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 2284 wrote to memory of 3404	2284	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 3392	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 3392	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 3392	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 4744	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 4744	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 4744	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 2676	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 2676	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 2676	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 2676	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 1732	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 1732	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 1732	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 1732	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 4568	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 4568	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 4568	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe
PID 3404 wrote to memory of 4568	3404	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe	0738981879dde83f3a14602cfa2842e934a11c5339b460a8dd4c57c778221ddd.exe