redline | 9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en
submitted
02-09-2021 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c401e59268ce122cbe861437d99de240.exe
Size

622KB
MD5

c401e59268ce122cbe861437d99de240
SHA1

b73d04412ab3dc1b7ac6c11d8343ab29831a8b32
SHA256

9ea4469f78d2953c8061672f6c7630a9728b42944e37be3e30bc6774812af88a
SHA512

707e7f15af8b8bd9c99e70cd126c5fb5577ab1ceb8c45c23f5842fe666ca774e2966f77cf7eeaa30bd322d235bf004466a33909cd5ee8617f3c9e076b57fcb4f

Score

10^/10

redline test1 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

test1

54.38.136.110:27734

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 56 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3104-120-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/3104-121-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/3104-130-0x00000000050E0000-0x00000000055DE000-memory.dmp	family_redline
behavioral2/memory/4528-139-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2820-151-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2820-161-0x0000000005190000-0x000000000568E000-memory.dmp	family_redline
behavioral2/memory/4540-169-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/4540-185-0x0000000005120000-0x000000000561E000-memory.dmp	family_redline
behavioral2/memory/1108-188-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2128-200-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2128-215-0x00000000058B0000-0x0000000005DAE000-memory.dmp	family_redline
behavioral2/memory/2648-218-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2648-232-0x00000000053E0000-0x00000000058DE000-memory.dmp	family_redline
behavioral2/memory/3292-242-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/3292-257-0x0000000005790000-0x0000000005C8E000-memory.dmp	family_redline
behavioral2/memory/3352-259-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/4420-272-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/588-286-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/588-296-0x0000000005550000-0x0000000005A4E000-memory.dmp	family_redline
behavioral2/memory/700-298-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2600-315-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2600-331-0x00000000055B0000-0x0000000005AAE000-memory.dmp	family_redline
behavioral2/memory/2820-334-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2820-344-0x0000000004ED0000-0x00000000054D6000-memory.dmp	family_redline
behavioral2/memory/4616-351-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/3116-369-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/3116-379-0x00000000054E0000-0x00000000059DE000-memory.dmp	family_redline
behavioral2/memory/2060-382-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2060-392-0x00000000053E0000-0x00000000058DE000-memory.dmp	family_redline
behavioral2/memory/912-411-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2664-424-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2664-439-0x00000000053E0000-0x00000000058DE000-memory.dmp	family_redline
behavioral2/memory/2200-442-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2200-457-0x0000000004D90000-0x000000000528E000-memory.dmp	family_redline
behavioral2/memory/2784-459-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2784-469-0x0000000004E20000-0x000000000531E000-memory.dmp	family_redline
behavioral2/memory/2244-472-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/2244-488-0x0000000004E20000-0x000000000531E000-memory.dmp	family_redline
behavioral2/memory/1376-490-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/1376-500-0x0000000005190000-0x000000000568E000-memory.dmp	family_redline
behavioral2/memory/1684-502-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/3756-530-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/3756-538-0x0000000005220000-0x0000000005826000-memory.dmp	family_redline
behavioral2/memory/4428-550-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/4428-560-0x0000000004E30000-0x000000000532E000-memory.dmp	family_redline
behavioral2/memory/4020-568-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/4020-578-0x0000000005190000-0x000000000568E000-memory.dmp	family_redline
behavioral2/memory/4532-580-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/4532-593-0x0000000005260000-0x000000000575E000-memory.dmp	family_redline
behavioral2/memory/860-598-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/860-609-0x0000000005930000-0x0000000005E2E000-memory.dmp	family_redline
behavioral2/memory/4032-621-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/4032-633-0x0000000004F70000-0x000000000546E000-memory.dmp	family_redline
behavioral2/memory/4168-640-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/1276-647-0x000000000041C5F2-mapping.dmp	family_redline
behavioral2/memory/1276-657-0x0000000004E20000-0x000000000531E000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 32 IoCs

Processes:

c401e59268ce122cbe861437d99de240.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4084 4420 WerFault.exe c401e59268ce122cbe861437d99de240.exe
4288 4168 WerFault.exe c401e59268ce122cbe861437d99de240.exe

pid	pid_target	process	target process
4084	4420	WerFault.exe	c401e59268ce122cbe861437d99de240.exe
4288	4168	WerFault.exe	c401e59268ce122cbe861437d99de240.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

c401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exec401e59268ce122cbe861437d99de240.exe

pid	process
3104	c401e59268ce122cbe861437d99de240.exe
3104	c401e59268ce122cbe861437d99de240.exe
4528	c401e59268ce122cbe861437d99de240.exe
4528	c401e59268ce122cbe861437d99de240.exe
2820	c401e59268ce122cbe861437d99de240.exe
2820	c401e59268ce122cbe861437d99de240.exe
4540	c401e59268ce122cbe861437d99de240.exe
4540	c401e59268ce122cbe861437d99de240.exe
1108	c401e59268ce122cbe861437d99de240.exe
2128	c401e59268ce122cbe861437d99de240.exe
2128	c401e59268ce122cbe861437d99de240.exe
1108	c401e59268ce122cbe861437d99de240.exe
2648	c401e59268ce122cbe861437d99de240.exe
2648	c401e59268ce122cbe861437d99de240.exe
3292	c401e59268ce122cbe861437d99de240.exe
3292	c401e59268ce122cbe861437d99de240.exe
3352	c401e59268ce122cbe861437d99de240.exe
3352	c401e59268ce122cbe861437d99de240.exe
588	c401e59268ce122cbe861437d99de240.exe
588	c401e59268ce122cbe861437d99de240.exe
700	c401e59268ce122cbe861437d99de240.exe
700	c401e59268ce122cbe861437d99de240.exe
2600	c401e59268ce122cbe861437d99de240.exe
2600	c401e59268ce122cbe861437d99de240.exe
2820	c401e59268ce122cbe861437d99de240.exe
2820	c401e59268ce122cbe861437d99de240.exe
4616	c401e59268ce122cbe861437d99de240.exe
4616	c401e59268ce122cbe861437d99de240.exe
3116	c401e59268ce122cbe861437d99de240.exe
3116	c401e59268ce122cbe861437d99de240.exe
2060	c401e59268ce122cbe861437d99de240.exe
2060	c401e59268ce122cbe861437d99de240.exe
912	c401e59268ce122cbe861437d99de240.exe
912	c401e59268ce122cbe861437d99de240.exe
2664	c401e59268ce122cbe861437d99de240.exe
2664	c401e59268ce122cbe861437d99de240.exe
2200	c401e59268ce122cbe861437d99de240.exe
2200	c401e59268ce122cbe861437d99de240.exe
2244	c401e59268ce122cbe861437d99de240.exe
2784	c401e59268ce122cbe861437d99de240.exe
2244	c401e59268ce122cbe861437d99de240.exe
1376	c401e59268ce122cbe861437d99de240.exe
2784	c401e59268ce122cbe861437d99de240.exe
1376	c401e59268ce122cbe861437d99de240.exe
1684	c401e59268ce122cbe861437d99de240.exe
1684	c401e59268ce122cbe861437d99de240.exe
3756	c401e59268ce122cbe861437d99de240.exe
3756	c401e59268ce122cbe861437d99de240.exe
4428	c401e59268ce122cbe861437d99de240.exe
4428	c401e59268ce122cbe861437d99de240.exe
4020	c401e59268ce122cbe861437d99de240.exe
4020	c401e59268ce122cbe861437d99de240.exe
4532	c401e59268ce122cbe861437d99de240.exe
4532	c401e59268ce122cbe861437d99de240.exe
860	c401e59268ce122cbe861437d99de240.exe
860	c401e59268ce122cbe861437d99de240.exe
4032	c401e59268ce122cbe861437d99de240.exe
4032	c401e59268ce122cbe861437d99de240.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3104	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	4528	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2820	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	4540	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	1108	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2128	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2648	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	3292	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	3352	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	588	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	700	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2600	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2820	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	4616	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	3116	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2060	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	912	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2664	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2200	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2784	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	2244	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	1376	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	1684	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	3756	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	4428	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	4020	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	4532	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	860	c401e59268ce122cbe861437d99de240.exe
Token: SeDebugPrivilege	4032	c401e59268ce122cbe861437d99de240.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c401e59268ce122cbe861437d99de240.exe

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
"C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 24
3⤵
- Program crash
PID:4084

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:424

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 24
3⤵
- Program crash
PID:4288

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
C:\Users\Admin\AppData\Local\Temp\c401e59268ce122cbe861437d99de240.exe
2⤵
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c401e59268ce122cbe861437d99de240.exe.log
MD5
6bd73b7851af1ae243eed68a439ebcc7

SHA1
2854a97969895fe2ed96974fec15851a36b72bf6

SHA256
e54b37f26930f7685045f66a1aca719bbf00b5d883bbe2cec26566fcbdaf014c

SHA512
4613d33124651ccd2b0782c750792b606ecbdfc247448b60dbb828e70f7099e069704348d95bd939b3ad8654ca39035f53488b4ac4c93ec92f0aa9da46b4c19b

Download Submit
memory/588-286-0x000000000041C5F2-mapping.dmp

Download
memory/588-296-0x0000000005550000-0x0000000005A4E000-memory.dmp

Filesize
5.0MB

Download
memory/700-308-0x0000000005560000-0x0000000005A5E000-memory.dmp

Filesize
5.0MB

Download
memory/700-298-0x000000000041C5F2-mapping.dmp

Download
memory/860-609-0x0000000005930000-0x0000000005E2E000-memory.dmp

Filesize
5.0MB

Download
memory/860-598-0x000000000041C5F2-mapping.dmp

Download
memory/912-421-0x0000000005820000-0x0000000005D1E000-memory.dmp

Filesize
5.0MB

Download
memory/912-411-0x000000000041C5F2-mapping.dmp

Download
memory/1108-188-0x000000000041C5F2-mapping.dmp

Download
memory/1108-198-0x0000000005120000-0x000000000561E000-memory.dmp

Filesize
5.0MB

Download
memory/1276-647-0x000000000041C5F2-mapping.dmp

Download
memory/1276-657-0x0000000004E20000-0x000000000531E000-memory.dmp

Filesize
5.0MB

Download
memory/1376-500-0x0000000005190000-0x000000000568E000-memory.dmp

Filesize
5.0MB

Download
memory/1376-490-0x000000000041C5F2-mapping.dmp

Download
memory/1684-512-0x00000000053E0000-0x00000000058DE000-memory.dmp

Filesize
5.0MB

Download
memory/1684-502-0x000000000041C5F2-mapping.dmp

Download
memory/2060-382-0x000000000041C5F2-mapping.dmp

Download
memory/2060-392-0x00000000053E0000-0x00000000058DE000-memory.dmp

Filesize
5.0MB

Download
memory/2128-200-0x000000000041C5F2-mapping.dmp

Download
memory/2128-215-0x00000000058B0000-0x0000000005DAE000-memory.dmp

Filesize
5.0MB

Download
memory/2200-457-0x0000000004D90000-0x000000000528E000-memory.dmp

Filesize
5.0MB

Download
memory/2200-442-0x000000000041C5F2-mapping.dmp

Download
memory/2244-472-0x000000000041C5F2-mapping.dmp

Download
memory/2244-488-0x0000000004E20000-0x000000000531E000-memory.dmp

Filesize
5.0MB

Download
memory/2600-315-0x000000000041C5F2-mapping.dmp

Download
memory/2600-331-0x00000000055B0000-0x0000000005AAE000-memory.dmp

Filesize
5.0MB

Download
memory/2648-218-0x000000000041C5F2-mapping.dmp

Download
memory/2648-232-0x00000000053E0000-0x00000000058DE000-memory.dmp

Filesize
5.0MB

Download
memory/2664-439-0x00000000053E0000-0x00000000058DE000-memory.dmp

Filesize
5.0MB

Download
memory/2664-424-0x000000000041C5F2-mapping.dmp

Download
memory/2784-459-0x000000000041C5F2-mapping.dmp

Download
memory/2784-469-0x0000000004E20000-0x000000000531E000-memory.dmp

Filesize
5.0MB

Download
memory/2820-161-0x0000000005190000-0x000000000568E000-memory.dmp

Filesize
5.0MB

Download
memory/2820-344-0x0000000004ED0000-0x00000000054D6000-memory.dmp

Filesize
6.0MB

Download
memory/2820-334-0x000000000041C5F2-mapping.dmp

Download
memory/2820-151-0x000000000041C5F2-mapping.dmp

Download
memory/3104-130-0x00000000050E0000-0x00000000055DE000-memory.dmp

Filesize
5.0MB

Download
memory/3104-131-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3104-120-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3104-128-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3104-126-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3104-129-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3104-127-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/3104-121-0x000000000041C5F2-mapping.dmp

Download
memory/3104-124-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3104-132-0x00000000086B0000-0x00000000086B1000-memory.dmp

Filesize
4KB

Download
memory/3104-133-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

Filesize
4KB

Download
memory/3104-125-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/3104-137-0x0000000008D20000-0x0000000008D21000-memory.dmp

Filesize
4KB

Download
memory/3104-136-0x0000000008B60000-0x0000000008B61000-memory.dmp

Filesize
4KB

Download
memory/3116-379-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/3116-369-0x000000000041C5F2-mapping.dmp

Download
memory/3292-257-0x0000000005790000-0x0000000005C8E000-memory.dmp

Filesize
5.0MB

Download
memory/3292-242-0x000000000041C5F2-mapping.dmp

Download
memory/3352-270-0x00000000057C0000-0x0000000005CBE000-memory.dmp

Filesize
5.0MB

Download
memory/3352-259-0x000000000041C5F2-mapping.dmp

Download
memory/3756-530-0x000000000041C5F2-mapping.dmp

Download
memory/3756-538-0x0000000005220000-0x0000000005826000-memory.dmp

Filesize
6.0MB

Download
memory/4020-568-0x000000000041C5F2-mapping.dmp

Download
memory/4020-578-0x0000000005190000-0x000000000568E000-memory.dmp

Filesize
5.0MB

Download
memory/4032-633-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/4032-621-0x000000000041C5F2-mapping.dmp

Download
memory/4168-640-0x000000000041C5F2-mapping.dmp

Download
memory/4420-272-0x000000000041C5F2-mapping.dmp

Download
memory/4428-550-0x000000000041C5F2-mapping.dmp

Download
memory/4428-560-0x0000000004E30000-0x000000000532E000-memory.dmp

Filesize
5.0MB

Download
memory/4528-139-0x000000000041C5F2-mapping.dmp

Download
memory/4528-149-0x0000000005650000-0x0000000005B4E000-memory.dmp

Filesize
5.0MB

Download
memory/4532-593-0x0000000005260000-0x000000000575E000-memory.dmp

Filesize
5.0MB

Download
memory/4532-580-0x000000000041C5F2-mapping.dmp

Download
memory/4540-169-0x000000000041C5F2-mapping.dmp

Download
memory/4540-185-0x0000000005120000-0x000000000561E000-memory.dmp

Filesize
5.0MB

Download
memory/4616-351-0x000000000041C5F2-mapping.dmp

Download
memory/4616-361-0x0000000005290000-0x000000000578E000-memory.dmp

Filesize
5.0MB

Download
memory/4692-119-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/4692-115-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/4692-118-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4692-117-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 4692 set thread context of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2648	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 3292	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 3352	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4420	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 588	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 700	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2600	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4616	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 3116	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2060	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 912	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2664	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2200	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2784	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 2244	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 1376	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 1684	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 3756	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4428	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4020	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4532	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 860	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4032	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 4168	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 set thread context of 1276	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe

description	pid	process	target process
PID 4692 wrote to memory of 3224	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3224	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3224	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 3104	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1884	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1884	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1884	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4448	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4448	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4448	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4528	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2820	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1008	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1008	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1008	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 4540	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 1108	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2128	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2648	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2648	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2648	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe
PID 4692 wrote to memory of 2648	4692	c401e59268ce122cbe861437d99de240.exe	c401e59268ce122cbe861437d99de240.exe